Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:1.exe
Analysis ID:1583692
MD5:fe1297a73d0ffcb6ae4376e06f248093
SHA1:5c7c56a17304846181bca7fd49b7e154a28677a8
SHA256:5117533dc45c5ef9d651764ed3984ec486cf4fecb18f61d45eace1833559849a
Tags:Backdoorexemalwaremeterpreteruser-Joker
Infos:

Detection

Metasploit, Meterpreter
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
Yara detected Meterpreter
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 1.exe (PID: 6888 cmdline: "C:\Users\user\Desktop\1.exe" MD5: FE1297A73D0FFCB6AE4376E06F248093)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MeterpreterNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter

Malware Configuration

Threatname: Meterpreter

{"Type": "tcp", "IP": "8.130.94.218", "Port": 8877}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1.exeJoeSecurity_MetasploitPayloadYara detected Metasploit PayloadJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_38b8ceecIdentifies the API address lookup function used by metasploit. Also used by other tools (like beacon).unknown
    • 0x10d6:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
    00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
    • 0xf9f:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
    • 0x11df:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
    00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
    • 0x100b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
    • 0x124b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
    00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_MeterpreterYara detected MeterpreterJoe Security
      00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpWindows_Trojan_Metasploit_38b8ceecIdentifies the API address lookup function used by metasploit. Also used by other tools (like beacon).unknown
      • 0x26767:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
      Click to see the 3 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.1.exe.400000.0.unpackJoeSecurity_MeterpreterYara detected MeterpreterJoe Security
        0.2.1.exe.400000.0.unpackWindows_Trojan_Metasploit_38b8ceecIdentifies the API address lookup function used by metasploit. Also used by other tools (like beacon).unknown
        • 0x37a0f:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
        0.2.1.exe.400000.0.unpackWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
        • 0x378d8:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
        • 0x37b18:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
        0.2.1.exe.400000.0.unpackWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
        • 0x37944:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
        • 0x37b84:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
        0.2.1.exe.400000.0.unpackMALWARE_Win_MeterpreterDetects Meterpreter payloadditekSHen
        • 0x38ab1:$s1: PACKET TRANSMIT
        • 0x38ac1:$s2: PACKET RECEIVE
        • 0x38961:$s3: \\%s\pipe\%s
        • 0x38a49:$s3: \\%s\pipe\%s
        • 0x388a5:$s4: %04x-%04x:%s
        • 0x35755:$s5: server.dll
        Click to see the 5 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 1.exeAvira: detected
        Found malware configuration
        Source: 0.2.1.exe.400000.0.unpackMalware Configuration Extractor: Meterpreter {"Type": "tcp", "IP": "8.130.94.218", "Port": 8877}
        Multi AV Scanner detection for submitted file
        Source: 1.exeVirustotal: Detection: 73%Perma Link
        Source: 1.exeReversingLabs: Detection: 86%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for sample
        Source: 1.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00905910 _memcpy_s,CryptDuplicateKey,GetLastError,CryptSetKeyParam,CryptSetKeyParam,CryptGenRandom,GetLastError,GetLastError,CryptSetKeyParam,GetLastError,htonl,_malloc,_memcpy_s,CryptEncrypt,GetLastError,htonl,_memcpy_s,_memcpy_s,_malloc,htonl,_memcpy_s,_memcpy_s,CryptDestroyKey,0_2_00905910
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00905B01 _calloc,CryptAcquireContextW,GetLastError,CryptGenRandom,CryptImportKey,GetLastError,_free,0_2_00905B01
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00905C90 CryptDestroyKey,CryptReleaseContext,_free,0_2_00905C90
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00905CD1 CryptDecodeObjectEx,GetLastError,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptImportPublicKeyInfo,CryptEncrypt,CryptEncrypt,_calloc,_memcpy_s,CryptEncrypt,_free,LocalFree,CryptDestroyKey,CryptReleaseContext,0_2_00905CD1
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0090579E _calloc,htonl,htonl,CryptDuplicateKey,GetLastError,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,_memmove_s,htonl,htonl,_malloc,_memcpy_s,CryptDestroyKey,0_2_0090579E
        Source: 1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

        Networking

        barindex
        Yara detected Meterpreter
        Source: Yara matchFile source: 0.2.1.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.1.exe.900000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: 8.130.94.218
        Source: global trafficTCP traffic: 192.168.2.6:49708 -> 8.130.94.218:8877
        Source: global trafficTCP traffic: 192.168.2.6:56989 -> 1.1.1.1:53
        Source: global trafficTCP traffic: 192.168.2.6:61006 -> 162.159.36.2:53
        Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: unknownTCP traffic detected without corresponding DNS query: 8.130.94.218
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00408B40 WSARecv,WSAGetLastError,WSAGetLastError,WSAGetLastError,0_2_00408B40
        Source: 1.exeString found in binary or memory: http://www.apache.org/
        Source: 1.exeString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: 1.exeString found in binary or memory: http://www.zeustech.net/
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00905B01 _calloc,CryptAcquireContextW,GetLastError,CryptGenRandom,CryptImportKey,GetLastError,_free,0_2_00905B01

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0.2.1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
        Source: 0.2.1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 0.2.1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 0.2.1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: 0.2.1.exe.900000.1.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
        Source: 0.2.1.exe.900000.1.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 0.2.1.exe.900000.1.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 0.2.1.exe.900000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
        Source: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
        Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004096C0: GetFileInformationByHandle,DeviceIoControl,GetLastError,GetLastError,GetLastError,WaitForSingleObject,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,WaitForSingleObject,SetLastError,GetOverlappedResult,GetLastError,GetLastError,GetLastError,0_2_004096C0
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004070D00_2_004070D0
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004338800_2_00433880
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00406A400_2_00406A40
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004292E30_2_004292E3
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00426ABD0_2_00426ABD
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0042730A0_2_0042730A
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0043330E0_2_0043330E
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004253910_2_00425391
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0042FBB10_2_0042FBB1
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0040B4000_2_0040B400
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004244DE0_2_004244DE
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004265C90_2_004265C9
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00433DF20_2_00433DF2
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0043459A0_2_0043459A
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00426ED50_2_00426ED5
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004357230_2_00435723
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0042773F0_2_0042773F
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0042BFD30_2_0042BFD3
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0090F04D0_2_0090F04D
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0091F1090_2_0091F109
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009111380_2_00911138
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0091E9610_2_0091E961
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009202920_2_00920292
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009122AE0_2_009122AE
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00911A440_2_00911A44
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0090DBF20_2_0090DBF2
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0091E3EF0_2_0091E3EF
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00916B420_2_00916B42
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0091162C0_2_0091162C
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00913E520_2_00913E52
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00911E790_2_00911E79
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0091DE7D0_2_0091DE7D
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0090A78D0_2_0090A78D
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0090FF000_2_0090FF00
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0091A7200_2_0091A720
        Source: 1.exeBinary or memory string: OriginalFilename vs 1.exe
        Source: 1.exe, 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameab.exeF vs 1.exe
        Source: 1.exe, 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameab.exeF vs 1.exe
        Source: 1.exeBinary or memory string: OriginalFilenameab.exeF vs 1.exe
        Source: 1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: 0.2.1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
        Source: 0.2.1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 0.2.1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 0.2.1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: 0.2.1.exe.900000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
        Source: 0.2.1.exe.900000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 0.2.1.exe.900000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 0.2.1.exe.900000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
        Source: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
        Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: 1.exeStatic PE information: Section: .hobp ZLIB complexity 0.9894076260653409
        Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00901BAC GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetLastError,CreateEventW,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,_free,_free,CloseHandle,CloseHandle,0_2_00901BAC
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0090770B GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,0_2_0090770B
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009025C8 VirtualAllocEx,VirtualQueryEx,_malloc,_memset,WriteProcessMemory,WriteProcessMemory,_free,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,GetLastError,Thread32First,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,OpenThread,SuspendThread,CloseHandle,Thread32Next,SetLastError,GetLastError,Sleep,ResumeThread,CloseHandle,CloseHandle,FreeLibrary,SetLastError,0_2_009025C8
        Source: C:\Users\user\Desktop\1.exeMutant created: NULL
        Source: C:\Users\user\Desktop\1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 1.exeVirustotal: Detection: 73%
        Source: 1.exeReversingLabs: Detection: 86%
        Source: C:\Users\user\Desktop\1.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0040A940 LoadLibraryA,GetProcAddress,GetProcAddress,0_2_0040A940
        Source: initial sampleStatic PE information: section where entry point is pointing to: .hobp
        Source: 1.exeStatic PE information: real checksum: 0x4a275 should be: 0x4a3cd
        Source: 1.exeStatic PE information: section name: .hobp
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0040B840 push eax; ret 0_2_0040B86E
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0042E256 push ecx; ret 0_2_0042E269
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0042537C push ecx; ret 0_2_0042538C
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0043EDFA push eax; ret 0_2_0043EE2A
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0043EE79 push eax; ret 0_2_0043EE2A
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00918DC5 push ecx; ret 0_2_00918DD8
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0090FEEB push ecx; ret 0_2_0090FEFB
        Source: 1.exeStatic PE information: section name: .hobp entropy: 7.987904405928033
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00913E52 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00913E52
        Source: C:\Users\user\Desktop\1.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-38406
        Source: C:\Users\user\Desktop\1.exeAPI coverage: 3.2 %
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: 1.exe, 00000000.00000002.3354497608.00000000006DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\1.exeAPI call chain: ExitProcess graph end nodegraph_0-38296
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0091A1D9 IsDebuggerPresent,0_2_0091A1D9
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00919768 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00919768
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0040A940 LoadLibraryA,GetProcAddress,GetProcAddress,0_2_0040A940
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0041A5F9 mov eax, dword ptr fs:[00000030h]0_2_0041A5F9
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00905168 mov eax, dword ptr fs:[00000030h]0_2_00905168
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00913BE8 GetProcessHeap,0_2_00913BE8
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009056FE GetModuleHandleW,SetUnhandledExceptionFilter,ExitProcess,ExitThread,0_2_009056FE
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00918C43 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00918C43

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Contains functionality to inject threads in other processes
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00904F7E VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,0_2_00904F7E
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00907604 CreateNamedPipeA,AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclW,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeAcl,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorSacl,0_2_00907604
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00409C80 AllocateAndInitializeSid,SetLastError,SetLastError,SetLastError,0_2_00409C80
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0090828E CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,CloseHandle,0_2_0090828E
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00406A00 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_00406A00
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00406B10 FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,0_2_00406B10
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0040A720 GetVersionExA,_isctype,__mb_cur_max,_isctype,_pctype,atoi,_isctype,__mb_cur_max,_isctype,_pctype,0_2_0040A720

        Remote Access Functionality

        barindex
        Yara detected Metasploit Payload
        Source: Yara matchFile source: 1.exe, type: SAMPLE
        Yara detected Meterpreter
        Source: Yara matchFile source: 0.2.1.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.1.exe.900000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\1.exeCode function: 0_2_009088C8 bind,WSAGetLastError,listen,accept,closesocket,0_2_009088C8

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API        		1
        DLL Side-Loading        		1
        Access Token Manipulation        		1
        Access Token Manipulation        		OS Credential Dumping2
        System Time Discovery        		Remote Services11
        Archive Collected Data        		2
        Encrypted Channel        		Exfiltration Over Other Network Medium1
        Data Encrypted for Impact
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
        Process Injection        		11
        Process Injection        		LSASS Memory31
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		2
        Obfuscated Files or Information        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
        Software Packing        		NTDS3
        System Information Discovery        		Distributed Component Object ModelInput Capture1
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        1.exe74%VirustotalBrowse
        1.exe87%ReversingLabsWin32.Hacktool.Meterpreter
        1.exe100%AviraTR/Crypt.XPACK.Gen
        1.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        8.130.94.2180%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        8.130.94.218true
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.01.exefalse
          		high
          http://www.apache.org/1.exefalse
            		high
            http://www.zeustech.net/1.exefalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              8.130.94.218
              		unknownSingapore
              		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1583692
              Start date and time:2025-01-03 12:02:04 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 3m 51s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:5
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:1.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@1/0@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 94%
              • Number of executed functions: 14
              • Number of non-executed functions: 192
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdhttp://47.100.36.233:58765/template/Get hashmaliciousUnknownBrowse
              • 47.100.36.233
              DEMONS.spc.elfGet hashmaliciousUnknownBrowse
              • 139.252.21.15
              45631.exeGet hashmaliciousNitolBrowse
              • 39.103.20.59
              45631.exeGet hashmaliciousUnknownBrowse
              • 39.103.20.59
              Hilix.m68k.elfGet hashmaliciousMiraiBrowse
              • 8.155.218.222
              1735021454574.exeGet hashmaliciousUnknownBrowse
              • 120.78.149.238
              1734098836319.exeGet hashmaliciousBlackMoonBrowse
              • 39.103.20.61
              armv4l.elfGet hashmaliciousUnknownBrowse
              • 59.82.127.195
              armv6l.elfGet hashmaliciousUnknownBrowse
              • 39.106.221.219

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.709780706687052
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:1.exe
              File size:250'880 bytes
              MD5:fe1297a73d0ffcb6ae4376e06f248093
              SHA1:5c7c56a17304846181bca7fd49b7e154a28677a8
              SHA256:5117533dc45c5ef9d651764ed3984ec486cf4fecb18f61d45eace1833559849a
              SHA512:6e6ccca77d78374d90054ecc66b2e65cd7652e2ccb9371034726005e67918746df91d5f696df6398a3d7fe469cedafee257fcd2f50d6e688366760f53653273e
              SSDEEP:6144:hqGdXu6wH0Nc8QsqrYZizEGu0Nyx6WKjLSsiuc7WujnD3o:hlu6kBrKy5/NQnMLSsiF7Wuzbo
              TLSH:EB34F106E884546AC0D9223CA7B637B9967DF5B23111828F7BDCCDE5BFC0870676A385
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L...6..J...........

              File Icon

              Icon Hash:00928e8e8686b000

              Static PE Info

              General

              Entrypoint:0x416000
              Entrypoint Section:.hobp
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              DLL Characteristics:
              Time Stamp:0x4AC18036 [Tue Sep 29 03:34:14 2009 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:481f47bbb2c9c21e108d65f52b04c448

              Entrypoint Preview

              Instruction
              mov edx, BCD2AB5Eh
              fcmovbe st(0), st(3)
              fstenv [esp-0Ch]
              pop eax
              xor ecx, ecx
              mov cx, ABAFh
              xor dword ptr [eax+16h], edx
              add eax, 04h
              add edx, dword ptr [eax+12h]
              mov esp, FA75085Eh
              out dx, eax
              adc al, 96h
              cmp eax, 35B31236h
              xchg eax, esp
              jmp far 982Eh : A59ED372h
              and al, B1h
              add ebx, ecx
              mov al, B9h
              xor al, ABh
              out 58h, eax
              test al, EFh
              cmp esi, dword ptr [eax+73853710h]
              jmp 00007FB7B8D263D5h
              xor ebx, edx
              inc esi
              inc esi
              nop
              enter FE5Bh, B0h
              pop ecx
              xor al, byte ptr [ebp+4Bh]
              adc al, 51h
              stc
              fst st(7)
              push ecx
              xchg eax, edi
              fcomp dword ptr [ebp-2A9DECFCh]
              ficomp dword ptr [eax+2DE6CC10h]
              xchg eax, ecx
              sar byte ptr [ebx+edx*2+169C972Fh], 0000004Ah
              iretd
              mov bh, 00000007h
              adc bl, byte ptr [edx]
              jl 00007FB7B8D263E8h
              mov esp, 08EA1082h
              xchg byte ptr [ecx-30BA974Fh], bl
              push edx
              call far 6ACFh : D04C6F3Ch
              popad
              rdtsc
              sbb al, CAh
              loop 00007FB7B8D26442h
              cld
              jmp 00007FB7B8D263EBh
              mov cl, 5Ah
              jnp 00007FB7B8D26485h
              mov dh, 4Fh
              jmp 00007FB8220273C9h
              sbb al, 35h
              jno 00007FB7B8D26434h
              js 00007FB7B8D26473h
              xchg eax, ecx
              lea esi, dword ptr [ebx+34028139h]
              push esp
              and ah, dh
              mov dh, 95h
              jnc 00007FB7B8D263DEh
              xchg eax, ebp
              xchg eax, esi
              test eax, 0757EF56h
              cmp esi, ecx
              pop edi
              lodsb
              cld
              sub dword ptr [edx], 8993BAB5h
              jns 00007FB7B8D2648Fh
              pop ebp
              or eax, 00000000h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x40ed80x878.hobp
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x417500x7c0.hobp
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x41f100x8.hobp
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0xc0000x1e0.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000xa9660xb000f29e95e927219cf6bd883d79b67751fdFalse0.5658513849431818data6.425898089715655IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0xc0000xfe60x1000e0959e81b1a51eade42a7b129cb500e3False0.506591796875data5.474393666208469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xd0000x705c0x4000283b5f792323d57b9db4d2bcc46580f8False0.25634765625Matlab v4 mat-file (little endian) d, numeric, rows 0, columns 04.407841023203495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x150000x7c80x1000c13a9413aea7291b6fc85d75bfcde381False0.197998046875data1.958296025171192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .hobp0x160000x2bf180x2c000ce956b30e0899e83bc03f2c779aeaff7False0.9894076260653409data7.987904405928033IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_VERSION0x417a80x768dataEnglishUnited States0.40189873417721517

              Imports

              DLLImport
              MSVCRT.dll_iob, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, _onexit, __dllonexit, strrchr, wcsncmp, _close, wcslen, wcscpy, strerror, modf, strspn, realloc, __p__environ, __p__wenviron, _errno, free, strncmp, strstr, strncpy, _ftol, qsort, fopen, perror, fclose, fflush, calloc, malloc, signal, printf, _isctype, atoi, exit, __mb_cur_max, _pctype, strchr, fprintf, _controlfp, _strdup, _strnicmp
              KERNEL32.dllPeekNamedPipe, ReadFile, WriteFile, LoadLibraryA, GetProcAddress, GetVersionExA, GetExitCodeProcess, TerminateProcess, LeaveCriticalSection, SetEvent, ReleaseMutex, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, CreateMutexA, GetFileType, SetLastError, FreeEnvironmentStringsW, GetEnvironmentStringsW, GlobalFree, GetCommandLineW, TlsAlloc, TlsFree, DuplicateHandle, GetCurrentProcess, SetHandleInformation, CloseHandle, GetSystemTimeAsFileTime, FileTimeToSystemTime, GetTimeZoneInformation, FileTimeToLocalFileTime, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, Sleep, FormatMessageA, GetLastError, WaitForSingleObject, CreateEventA, SetStdHandle, SetFilePointer, CreateFileA, CreateFileW, GetOverlappedResult, DeviceIoControl, GetFileInformationByHandle, LocalFree
              ADVAPI32.dllFreeSid, AllocateAndInitializeSid
              WSOCK32.dllgetsockopt, connect, htons, gethostbyname, ntohl, inet_ntoa, setsockopt, socket, closesocket, select, ioctlsocket, __WSAFDIsSet, WSAStartup, WSACleanup, WSAGetLastError
              WS2_32.dllWSARecv, WSASend

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 3, 2025 12:02:54.254203081 CET497088877192.168.2.68.130.94.218
              Jan 3, 2025 12:02:54.259054899 CET8877497088.130.94.218192.168.2.6
              Jan 3, 2025 12:02:54.259145021 CET497088877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:13.511598110 CET5698953192.168.2.61.1.1.1
              Jan 3, 2025 12:03:13.516427994 CET53569891.1.1.1192.168.2.6
              Jan 3, 2025 12:03:13.516514063 CET5698953192.168.2.61.1.1.1
              Jan 3, 2025 12:03:13.526982069 CET53569891.1.1.1192.168.2.6
              Jan 3, 2025 12:03:13.957499981 CET5698953192.168.2.61.1.1.1
              Jan 3, 2025 12:03:13.962615013 CET53569891.1.1.1192.168.2.6
              Jan 3, 2025 12:03:13.962661982 CET5698953192.168.2.61.1.1.1
              Jan 3, 2025 12:03:15.644661903 CET8877497088.130.94.218192.168.2.6
              Jan 3, 2025 12:03:15.644810915 CET497088877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:15.652434111 CET570028877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:15.657278061 CET8877570028.130.94.218192.168.2.6
              Jan 3, 2025 12:03:15.658437967 CET570028877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:15.659073114 CET497088877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:15.663871050 CET8877497088.130.94.218192.168.2.6
              Jan 3, 2025 12:03:37.020181894 CET8877570028.130.94.218192.168.2.6
              Jan 3, 2025 12:03:37.020389080 CET570028877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:37.021132946 CET571398877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:37.021728992 CET570028877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:37.025891066 CET8877571398.130.94.218192.168.2.6
              Jan 3, 2025 12:03:37.025964975 CET571398877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:37.026454926 CET8877570028.130.94.218192.168.2.6
              Jan 3, 2025 12:03:39.095124006 CET6100653192.168.2.6162.159.36.2
              Jan 3, 2025 12:03:39.099991083 CET5361006162.159.36.2192.168.2.6
              Jan 3, 2025 12:03:39.100061893 CET6100653192.168.2.6162.159.36.2
              Jan 3, 2025 12:03:39.104891062 CET5361006162.159.36.2192.168.2.6
              Jan 3, 2025 12:03:39.555274010 CET6100653192.168.2.6162.159.36.2
              Jan 3, 2025 12:03:39.561357975 CET5361006162.159.36.2192.168.2.6
              Jan 3, 2025 12:03:39.561399937 CET6100653192.168.2.6162.159.36.2
              Jan 3, 2025 12:03:58.410062075 CET8877571398.130.94.218192.168.2.6
              Jan 3, 2025 12:03:58.410334110 CET571398877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:58.411063910 CET610488877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:58.411712885 CET571398877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:58.415903091 CET8877610488.130.94.218192.168.2.6
              Jan 3, 2025 12:03:58.415976048 CET610488877192.168.2.68.130.94.218
              Jan 3, 2025 12:03:58.416421890 CET8877571398.130.94.218192.168.2.6
              Jan 3, 2025 12:04:19.802268028 CET8877610488.130.94.218192.168.2.6
              Jan 3, 2025 12:04:19.802536011 CET610488877192.168.2.68.130.94.218
              Jan 3, 2025 12:04:19.803375006 CET610498877192.168.2.68.130.94.218
              Jan 3, 2025 12:04:19.803935051 CET610488877192.168.2.68.130.94.218
              Jan 3, 2025 12:04:19.808233023 CET8877610498.130.94.218192.168.2.6
              Jan 3, 2025 12:04:19.808320999 CET610498877192.168.2.68.130.94.218
              Jan 3, 2025 12:04:19.808687925 CET8877610488.130.94.218192.168.2.6
              Jan 3, 2025 12:04:41.195276022 CET8877610498.130.94.218192.168.2.6
              Jan 3, 2025 12:04:41.195333004 CET610498877192.168.2.68.130.94.218
              Jan 3, 2025 12:04:41.195976019 CET610508877192.168.2.68.130.94.218
              Jan 3, 2025 12:04:41.196548939 CET610498877192.168.2.68.130.94.218
              Jan 3, 2025 12:04:41.200764894 CET8877610508.130.94.218192.168.2.6
              Jan 3, 2025 12:04:41.200836897 CET610508877192.168.2.68.130.94.218
              Jan 3, 2025 12:04:41.201354980 CET8877610498.130.94.218192.168.2.6

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 3, 2025 12:03:13.502351999 CET53565711.1.1.1192.168.2.6
              Jan 3, 2025 12:03:39.092398882 CET5352092162.159.36.2192.168.2.6
              Jan 3, 2025 12:03:39.574321985 CET53620461.1.1.1192.168.2.6

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              System Behavior

              General

              Target ID:0
              Start time:06:02:53
              Start date:03/01/2025
              Path:C:\Users\user\Desktop\1.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\1.exe"
              Imagebase:0x400000
              File size:250'880 bytes
              MD5 hash:FE1297A73D0FFCB6AE4376E06F248093
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
              • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
              • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
              • Rule: MALWARE_Win_Meterpreter, Description: Detects Meterpreter payload, Source: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
              Reputation:low
              Has exited:false

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:1.1%
                Dynamic/Decrypted Code Coverage:97.5%
                Signature Coverage:5.6%
                Total number of Nodes:393
                Total number of Limit Nodes:12
                execution_graph 37955 41a5f9 37956 41a61b 37955->37956 37957 41a641 GetPEB 37956->37957 37958 41a83f VirtualAlloc 37957->37958 37962 41a66c 37957->37962 37961 41a861 37958->37961 37959 41a8c4 LoadLibraryA 37959->37961 37960 41aad1 37961->37959 37964 41a940 37961->37964 37962->37958 37963 41aaba VirtualProtect 37963->37964 37964->37960 37964->37963 37965 913a0a 37966 913a13 37965->37966 37967 913a18 37965->37967 37983 918780 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 37966->37983 37971 913a2d 37967->37971 37970 913a26 37972 913a39 __setmbcp 37971->37972 37974 913ae4 __setmbcp 37972->37974 37978 913a87 37972->37978 37988 913898 138 API calls 14 library calls 37972->37988 37974->37970 37976 913ac1 37976->37974 37990 913898 138 API calls 14 library calls 37976->37990 37978->37974 37984 90575e 37978->37984 37979 90575e ___DllMainCRTStartup 214 API calls 37981 913ab7 37979->37981 37989 913898 138 API calls 14 library calls 37981->37989 37983->37967 37985 90576a 37984->37985 37987 90576f 37984->37987 37985->37987 37991 9056fe 37985->37991 37987->37976 37987->37979 37988->37978 37989->37976 37990->37974 37992 905719 37991->37992 37993 90570d GetModuleHandleW 37991->37993 38002 90789b 37992->38002 37993->37992 37995 905723 37996 905756 ExitThread 37995->37996 37997 90572f 37995->37997 37998 905738 37997->37998 37999 90574f ExitProcess 37997->37999 38000 905742 SetUnhandledExceptionFilter 37998->38000 38001 905749 37998->38001 38000->38001 38001->37987 38003 9078aa _memset ___DllMainCRTStartup 38002->38003 38060 90a322 LoadLibraryA GetProcAddress 38003->38060 38007 9078ea 38064 91050d 38007->38064 38013 907905 38014 90790b SetLastError 38013->38014 38102 905078 GetSystemTime SystemTimeToFileTime 38013->38102 38017 907b37 38014->38017 38220 90694e 65 API calls ___DllMainCRTStartup 38017->38220 38018 907926 38104 907d11 38018->38104 38020 907b3d 38221 901109 WaitForSingleObject ReleaseMutex WaitForSingleObject ___DllMainCRTStartup 38020->38221 38023 907b42 38222 9061a4 63 API calls 3 library calls 38023->38222 38028 907b48 ___DllMainCRTStartup 38028->37995 38030 90799a 38125 90f7c0 38030->38125 38034 9079b0 OpenThreadToken 38035 9079db 38034->38035 38036 9079cc GetCurrentProcess OpenProcessToken 38034->38036 38156 906925 38035->38156 38036->38035 38039 9079ed 38160 907b77 38039->38160 38043 907a29 38044 91028b ___DllMainCRTStartup 59 API calls 38043->38044 38045 907a38 GetCurrentThreadId GetThreadDesktop GetUserObjectInformationA 38044->38045 38046 91028b ___DllMainCRTStartup 59 API calls 38045->38046 38047 907a65 38046->38047 38048 91028b ___DllMainCRTStartup 59 API calls 38047->38048 38049 907a74 38048->38049 38050 905078 ___DllMainCRTStartup 2 API calls 38049->38050 38053 907a7e 38050->38053 38051 907b1e ___DllMainCRTStartup 38219 906556 62 API calls 2 library calls 38051->38219 38053->38051 38056 907b05 38053->38056 38178 908e70 38053->38178 38200 908cd0 38053->38200 38209 908e29 38053->38209 38218 905c90 61 API calls _free 38053->38218 38056->38053 38217 905035 Sleep Sleep 38056->38217 38061 9078e4 38060->38061 38062 9110e7 GetSystemTimeAsFileTime 38061->38062 38063 911115 __aulldiv 38062->38063 38063->38007 38223 915881 38064->38223 38067 90a1d1 38068 90f7c0 _malloc 59 API calls 38067->38068 38069 90a1df 38068->38069 38070 9078fb 38069->38070 38071 90a1ea _memset 38069->38071 38080 90613a 38070->38080 38072 90a1f5 GetCurrentThreadId 38071->38072 38250 90a133 38072->38250 38074 90a205 LoadLibraryA GetProcAddress 38075 90a235 LoadLibraryA GetProcAddress 38074->38075 38078 90a228 38074->38078 38076 90a283 FreeLibrary 38075->38076 38077 90a255 38075->38077 38079 90a28c FreeLibrary 38076->38079 38077->38076 38078->38079 38079->38070 38259 910021 59 API calls 2 library calls 38080->38259 38082 906144 38260 90a0b7 38082->38260 38085 906170 38088 90617b 38085->38088 38089 906174 38085->38089 38086 906151 38087 906155 38086->38087 38086->38088 38265 905eba 59 API calls _calloc 38087->38265 38095 906189 38088->38095 38268 905f93 59 API calls 2 library calls 38088->38268 38267 90a0e5 61 API calls 2 library calls 38089->38267 38093 906161 38266 905eba 59 API calls _calloc 38093->38266 38094 90617a 38094->38088 38099 906198 38095->38099 38269 905f93 59 API calls 2 library calls 38095->38269 38270 90f788 59 API calls 2 library calls 38099->38270 38100 90619f 38100->38013 38101 906169 38101->38013 38103 9050b5 __aulldiv 38102->38103 38103->38018 38106 907d20 38104->38106 38107 90794d 38106->38107 38271 907c4d 62 API calls ___DllMainCRTStartup 38106->38271 38107->38014 38108 9064fc 38107->38108 38272 9049b9 38108->38272 38110 906503 38280 9011d7 38110->38280 38115 90f7c0 _malloc 59 API calls 38116 906520 _memset 38115->38116 38118 906550 38116->38118 38287 904b9f 61 API calls 2 library calls 38116->38287 38119 907be8 38118->38119 38120 907c1a 38119->38120 38121 907c20 ___DllMainCRTStartup 38120->38121 38124 907bf1 38120->38124 38121->38030 38124->38120 38292 904ee2 VirtualProtect VirtualProtect ___DllMainCRTStartup 38124->38292 38293 906390 78 API calls 4 library calls 38124->38293 38126 90f83b 38125->38126 38135 90f7cc 38125->38135 38300 913c05 DecodePointer 38126->38300 38128 90f841 38301 913b94 59 API calls __getptd_noexit 38128->38301 38131 90f7ff RtlAllocateHeap 38131->38135 38141 9079a4 38131->38141 38133 90f7d7 38133->38135 38294 914023 59 API calls 2 library calls 38133->38294 38295 914080 59 API calls 6 library calls 38133->38295 38296 913c6c GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 38133->38296 38134 90f827 38298 913b94 59 API calls __getptd_noexit 38134->38298 38135->38131 38135->38133 38135->38134 38139 90f825 38135->38139 38297 913c05 DecodePointer 38135->38297 38299 913b94 59 API calls __getptd_noexit 38139->38299 38142 912b88 38141->38142 38143 912b97 38142->38143 38147 912b93 _memmove 38142->38147 38144 912b9e 38143->38144 38148 912bb1 _memset 38143->38148 38302 913b94 59 API calls __getptd_noexit 38144->38302 38146 912ba3 38303 914bf1 9 API calls _raise 38146->38303 38147->38034 38148->38147 38150 912be8 38148->38150 38151 912bdf 38148->38151 38150->38147 38305 913b94 59 API calls __getptd_noexit 38150->38305 38304 913b94 59 API calls __getptd_noexit 38151->38304 38153 912be4 38306 914bf1 9 API calls _raise 38153->38306 38157 906930 38156->38157 38158 906935 38156->38158 38157->38014 38157->38039 38159 9049b9 ___DllMainCRTStartup 63 API calls 38158->38159 38159->38157 38161 907bb6 GetCurrentProcessId ProcessIdToSessionId 38160->38161 38162 907b89 LoadLibraryA 38160->38162 38165 907bd5 38161->38165 38163 907b9a GetProcAddress 38162->38163 38164 907bad 38162->38164 38163->38164 38164->38161 38164->38165 38166 9079f7 GetProcessWindowStation GetUserObjectInformationA 38165->38166 38167 907bd9 FreeLibrary 38165->38167 38168 91028b 38166->38168 38167->38166 38169 910294 38168->38169 38170 910298 __woutput_s_l 38168->38170 38169->38043 38171 90f7c0 _malloc 59 API calls 38170->38171 38172 9102ab 38171->38172 38173 9102c4 38172->38173 38307 914c2c 59 API calls 2 library calls 38172->38307 38173->38043 38175 9102bd 38175->38173 38308 914c01 8 API calls 2 library calls 38175->38308 38177 9102da 38179 908f65 SetHandleInformation 38178->38179 38180 908e8c 38178->38180 38182 905078 ___DllMainCRTStartup 2 API calls 38179->38182 38309 910867 38180->38309 38184 908f76 38182->38184 38184->38053 38185 905078 ___DllMainCRTStartup 2 API calls 38186 908eae ___DllMainCRTStartup _strncmp _strrchr 38185->38186 38186->38179 38187 908efb _strrchr 38186->38187 38188 908f2e 38186->38188 38323 913806 62 API calls __wcstoi64 38187->38323 38312 9137fd 38188->38312 38191 908f48 38316 9086f9 38191->38316 38192 908f3e 38325 908921 14 API calls _memset 38192->38325 38194 908f1e 38324 9087b2 12 API calls 2 library calls 38194->38324 38198 908f44 38198->38179 38198->38184 38199 908f29 38199->38198 38201 905078 ___DllMainCRTStartup 2 API calls 38200->38201 38206 908cf2 38201->38206 38203 908d6a 38203->38053 38206->38203 38207 905078 GetSystemTime SystemTimeToFileTime ___DllMainCRTStartup 38206->38207 38395 90a1b3 38206->38395 38398 908a39 38206->38398 38403 908aa3 38206->38403 38441 901136 111 API calls ___DllMainCRTStartup 38206->38441 38207->38206 38210 908e33 38209->38210 38216 908e67 38209->38216 38211 908e51 38210->38211 38212 908e47 closesocket 38210->38212 38210->38216 38451 90a29b 38211->38451 38212->38216 38216->38053 38217->38056 38218->38053 38219->38017 38220->38020 38221->38023 38222->38028 38228 915899 GetLastError 38223->38228 38225 915887 38227 9078f0 38225->38227 38242 913d8f 59 API calls 3 library calls 38225->38242 38227->38067 38243 9188e6 38228->38243 38230 9158ae 38231 9158fc SetLastError 38230->38231 38246 918c59 59 API calls 2 library calls 38230->38246 38231->38225 38233 9158c1 38233->38231 38247 918905 TlsSetValue 38233->38247 38235 9158d5 38236 9158f3 38235->38236 38237 9158db 38235->38237 38249 90f788 59 API calls 2 library calls 38236->38249 38248 915908 59 API calls 4 library calls 38237->38248 38240 9158e3 GetCurrentThreadId 38240->38231 38241 9158f9 38241->38231 38244 9188f9 38243->38244 38245 9188fd TlsGetValue 38243->38245 38244->38230 38245->38230 38246->38233 38247->38235 38248->38240 38249->38241 38251 90f7c0 _malloc 59 API calls 38250->38251 38252 90a13b _memset 38251->38252 38253 90a142 38252->38253 38254 90a152 CreateEventW 38252->38254 38253->38074 38255 90a166 38254->38255 38256 90a16f 38254->38256 38258 90f788 59 API calls 2 library calls 38255->38258 38256->38074 38258->38253 38259->38082 38261 90f7c0 _malloc 59 API calls 38260->38261 38262 90a0bf _memset 38261->38262 38263 90614d 38262->38263 38264 90a0d2 CreateMutexW 38262->38264 38263->38085 38263->38086 38264->38263 38265->38093 38266->38101 38267->38094 38268->38095 38269->38099 38270->38100 38271->38106 38273 90f7c0 _malloc 59 API calls 38272->38273 38274 9049c1 38273->38274 38275 9049e9 38274->38275 38276 90a0b7 ___DllMainCRTStartup 60 API calls 38274->38276 38275->38110 38277 9049d7 38276->38277 38277->38275 38288 9049ed 62 API calls 2 library calls 38277->38288 38279 9049e4 38279->38110 38281 901000 ___DllMainCRTStartup 59 API calls 38280->38281 38282 9011e1 38281->38282 38283 901000 38282->38283 38284 901025 38283->38284 38285 90100e 38283->38285 38284->38115 38285->38284 38289 901052 38285->38289 38287->38118 38288->38279 38290 90f7c0 _malloc 59 API calls 38289->38290 38291 901062 _memmove 38290->38291 38291->38285 38292->38124 38293->38124 38294->38133 38295->38133 38297->38135 38298->38139 38299->38141 38300->38128 38301->38141 38302->38146 38303->38147 38304->38153 38305->38153 38306->38147 38307->38175 38308->38177 38326 910784 38309->38326 38313 913806 38312->38313 38352 917fc7 38313->38352 38382 910150 38316->38382 38319 908745 socket gethostbyname inet_ntoa inet_addr htons 38384 9086ae 38319->38384 38320 90873d WSAGetLastError 38322 9087a2 38320->38322 38322->38198 38323->38194 38324->38199 38325->38198 38327 910799 38326->38327 38328 9107cb 38327->38328 38332 91079d 38327->38332 38346 913b94 59 API calls __getptd_noexit 38328->38346 38330 9107d0 38347 914bf1 9 API calls _raise 38330->38347 38333 9107de 38332->38333 38334 9107be 38332->38334 38348 91051d 64 API calls 4 library calls 38333->38348 38345 913b94 59 API calls __getptd_noexit 38334->38345 38337 9107c3 38351 914bf1 9 API calls _raise 38337->38351 38338 9107eb 38339 9107f3 38338->38339 38343 910803 38338->38343 38349 913b94 59 API calls __getptd_noexit 38339->38349 38342 908ea9 38342->38185 38343->38342 38350 913b94 59 API calls __getptd_noexit 38343->38350 38345->38337 38346->38330 38347->38342 38348->38338 38349->38342 38350->38337 38351->38342 38353 917fde 38352->38353 38356 917da1 38353->38356 38368 9102db 38356->38368 38358 917dd9 38376 913b94 59 API calls __getptd_noexit 38358->38376 38361 917dde 38377 914bf1 9 API calls _raise 38361->38377 38363 917dee 38365 917e31 38363->38365 38378 91d70b 62 API calls 3 library calls 38363->38378 38367 908f34 38365->38367 38379 913b94 59 API calls __getptd_noexit 38365->38379 38367->38191 38367->38192 38369 9102ec 38368->38369 38375 910339 38368->38375 38370 915881 __setmbcp 59 API calls 38369->38370 38371 9102f2 38370->38371 38372 910319 38371->38372 38380 914f10 59 API calls 5 library calls 38371->38380 38372->38375 38381 915292 59 API calls 4 library calls 38372->38381 38375->38358 38375->38363 38376->38361 38377->38367 38378->38363 38379->38367 38380->38372 38381->38375 38383 908724 WSAStartup 38382->38383 38383->38319 38383->38320 38385 905078 ___DllMainCRTStartup 2 API calls 38384->38385 38386 9086b8 38385->38386 38387 905078 ___DllMainCRTStartup 2 API calls 38386->38387 38388 9086bf connect 38387->38388 38389 9086f3 38388->38389 38391 9086d5 38388->38391 38389->38322 38391->38386 38392 905078 ___DllMainCRTStartup 2 API calls 38391->38392 38393 9086ea closesocket 38391->38393 38394 905035 Sleep Sleep 38391->38394 38392->38391 38393->38389 38394->38391 38396 90a1bd 38395->38396 38397 90a1bf WaitForSingleObject 38395->38397 38396->38206 38397->38206 38442 90a109 38398->38442 38404 908ab0 __write_nolock 38403->38404 38405 90a109 ___DllMainCRTStartup WaitForSingleObject 38404->38405 38410 908ae3 38405->38410 38406 908aeb recv 38406->38410 38427 908bcf SetLastError 38406->38427 38407 908b1d 38408 908ca8 GetLastError 38407->38408 38413 908b2c 38407->38413 38422 908b8a _memmove 38407->38422 38411 908cb4 38408->38411 38412 908cba 38408->38412 38410->38406 38410->38407 38450 90f788 59 API calls 2 library calls 38411->38450 38414 90a11f ___DllMainCRTStartup ReleaseMutex 38412->38414 38417 908b3c recv 38413->38417 38418 908b7d SetLastError 38413->38418 38416 908cc6 38414->38416 38416->38206 38419 908b61 GetLastError 38417->38419 38420 908b86 38417->38420 38421 908c8a 38418->38421 38419->38413 38423 908b6e SetLastError 38419->38423 38420->38413 38421->38408 38424 908ba8 htonl 38422->38424 38423->38408 38423->38418 38425 90f7c0 _malloc 59 API calls 38424->38425 38426 908bc8 38425->38426 38426->38427 38428 912b88 _memcpy_s 59 API calls 38426->38428 38427->38408 38429 908be4 38428->38429 38430 908bf1 recv 38429->38430 38435 908c37 _memcmp 38429->38435 38431 908c26 38430->38431 38432 908c0a GetLastError 38430->38432 38431->38430 38434 908c34 38431->38434 38432->38431 38433 908c17 38432->38433 38433->38408 38433->38427 38434->38435 38435->38408 38436 908c91 38435->38436 38438 908c62 38435->38438 38449 90579e 72 API calls 4 library calls 38436->38449 38438->38408 38448 905e5b 68 API calls 38438->38448 38440 908c7e SetLastError 38440->38421 38441->38206 38443 90a113 WaitForSingleObject 38442->38443 38444 908a55 select 38442->38444 38443->38444 38445 90a11f 38444->38445 38446 908a9a 38445->38446 38447 90a129 ReleaseMutex 38445->38447 38446->38206 38447->38446 38448->38440 38449->38427 38450->38412 38452 90a2aa 38451->38452 38454 908e61 38451->38454 38453 90f7c0 _malloc 59 API calls 38452->38453 38455 90a2b2 _memset 38453->38455 38466 90a344 38454->38466 38455->38454 38456 90a133 ___DllMainCRTStartup 60 API calls 38455->38456 38457 90a2cb 38456->38457 38458 90a2d3 38457->38458 38459 90a2da CreateThread 38457->38459 38469 90f788 59 API calls 2 library calls 38458->38469 38459->38454 38461 90a308 38459->38461 38472 90a3e0 38459->38472 38470 90a173 60 API calls _free 38461->38470 38463 90a310 38471 90f788 59 API calls 2 library calls 38463->38471 38465 90a316 38465->38454 38467 90a350 ResumeThread 38466->38467 38468 90a34e 38466->38468 38467->38216 38468->38216 38469->38454 38470->38463 38471->38465 38473 90a322 ___DllMainCRTStartup 2 API calls 38472->38473 38474 90a3e8 38473->38474 38477 908df1 38474->38477 38478 908e00 recv 38477->38478 38479 908e13 closesocket 38478->38479 38480 908dfe 38478->38480 38483 90a3b2 38479->38483 38480->38478 38480->38479 38484 90a3c1 38483->38484 38485 908e20 38483->38485 38490 90a173 60 API calls _free 38484->38490 38487 90a3c9 CloseHandle 38491 90f788 59 API calls 2 library calls 38487->38491 38489 90a3d9 38489->38485 38490->38487 38491->38489

                Executed Functions

                Function 009056FE Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 235 9056fe-90570b 236 905719-90571e call 90789b 235->236 237 90570d-905714 GetModuleHandleW 235->237 239 905723-90572d 236->239 237->236 240 905756-905757 ExitThread 239->240 241 90572f-905736 239->241 242 905738-905740 241->242 243 90574f-905750 ExitProcess 241->243 244 905742-905743 SetUnhandledExceptionFilter 242->244 245 905749-90574e 242->245 244->245
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,?,0090578B,?,?,00913A9F,?,00000001,?,?,00000001,?,009254D0,0000000C), ref: 0090570E
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,0090578B,?,?,00913A9F,?,00000001,?,?,00000001,?,009254D0,0000000C), ref: 00905743
                • ExitProcess.KERNEL32 ref: 00905750
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionExitFilterHandleModuleProcessUnhandled
                • String ID:
                • API String ID: 3470424200-0
                • Opcode ID: 31b51f441c9677db708e33cb28d140e9e0fd33e0e4dcf88a8e9f813bcaf2370b
                • Instruction ID: 44ed32c296e3b9c73e480b71f1d916aeca51a8f5b934a690fa72567b2c510595
                • Opcode Fuzzy Hash: 31b51f441c9677db708e33cb28d140e9e0fd33e0e4dcf88a8e9f813bcaf2370b
                • Instruction Fuzzy Hash: 01F0E27A018700EFC7306F65ECC846B77ACEE51362315843AF60681562C634A8A2EFA1
                Function 0041A5F9 Relevance: 5.0, APIs: 3, Instructions: 458memorylibraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 246 41a5f9-41a61b call 41a5f1 249 41a61d-41a625 246->249 250 41a627-41a633 249->250 251 41a63e-41a63f 249->251 250->251 252 41a635-41a63c 250->252 251->249 252->251 253 41a641-41a666 GetPEB 252->253 254 41a66c-41a671 253->254 255 41a83f-41a868 VirtualAlloc 253->255 256 41a675-41a67f 254->256 261 41a878-41a882 255->261 262 41a86a-41a86c 255->262 257 41a681 256->257 258 41a684-41a690 256->258 257->258 258->256 260 41a692-41a698 258->260 265 41a78b-41a791 260->265 266 41a69e-41a6c1 260->266 263 41a8b4-41a8c2 261->263 264 41a884-41a887 261->264 267 41a86f-41a876 262->267 270 41a943-41a956 263->270 271 41a8c4-41a8d2 LoadLibraryA 263->271 268 41a889-41a89c 264->268 272 41a793-41a7b5 265->272 273 41a80e-41a812 265->273 269 41a6c3-41a6c9 266->269 267->261 267->267 274 41a8aa-41a8af 268->274 275 41a89e-41a8a5 268->275 278 41a6cb-41a6d8 269->278 279 41a95c-41a966 270->279 280 41a9ff-41aa0c 270->280 281 41a935-41a93e 271->281 282 41a8d4-41a8e3 271->282 283 41a7b8-41a7be 272->283 276 41a814-41a818 273->276 277 41a82c-41a833 273->277 274->268 286 41a8b1 274->286 275->275 284 41a8a7 275->284 276->277 287 41a81a-41a81e 276->287 277->254 292 41a839-41a83e 277->292 278->278 290 41a6da-41a6e0 278->290 291 41a969-41a96e 279->291 288 41aa12-41aa17 280->288 289 41aad4-41aaf2 280->289 281->271 285 41a940 281->285 282->281 293 41a8e5 282->293 294 41a7c0-41a7cd 283->294 284->274 285->270 286->263 287->277 295 41a820-41a824 287->295 296 41aa19-41aa49 288->296 297 41a702-41a716 290->297 298 41a6e2-41a6e8 290->298 299 41a974-41a986 291->299 300 41a9fc 291->300 292->255 301 41a8e8-41a8ea 293->301 294->294 302 41a7cf-41a7d5 294->302 295->277 304 41a826-41a82a 295->304 305 41aa56-41aa6b 296->305 306 41aa4b-41aa53 296->306 312 41a721-41a727 297->312 313 41a718-41a71f 297->313 298->297 307 41a6ea-41a6f0 298->307 308 41a9e8-41a9f6 299->308 309 41a988-41a98b 299->309 300->280 310 41a8ec-41a8f0 301->310 311 41a90e-41a916 301->311 314 41a7d7-41a7f6 302->314 315 41a7f8 302->315 304->277 304->292 316 41aab4-41aab8 305->316 317 41aa6d-41aa84 305->317 306->305 307->297 320 41a6f2-41a6f8 307->320 308->291 308->300 321 41a98d-41a99c 309->321 310->311 318 41a8f2-41a90c 310->318 334 41a91a-41a926 311->334 323 41a732-41a738 312->323 324 41a729-41a730 312->324 322 41a763-41a76e 313->322 319 41a7fb-41a809 314->319 315->319 335 41aac6-41aacb 316->335 336 41aaba-41aac3 VirtualProtect 316->336 317->316 330 41aa86-41aa9b 317->330 318->334 319->283 327 41a80b 319->327 320->297 331 41a6fa-41a700 320->331 332 41a9a4-41a9ad 321->332 333 41a99e-41a9a2 321->333 329 41a773-41a780 322->329 325 41a743-41a749 323->325 326 41a73a-41a741 323->326 324->322 337 41a754-41a75a 325->337 338 41a74b-41a752 325->338 326->322 327->273 329->269 339 41a786 329->339 330->316 340 41aa9d-41aaa3 330->340 331->297 344 41a770 331->344 346 41a9d6-41a9dd 332->346 333->332 345 41a9af-41a9b3 333->345 341 41a928-41a92a 334->341 342 41a92d-41a930 334->342 335->296 343 41aad1 335->343 336->335 337->322 349 41a75c-41a760 337->349 338->322 339->327 340->316 350 41aaa5-41aab1 340->350 341->342 342->301 347 41a932 342->347 343->289 344->329 351 41a9b5-41a9c4 345->351 352 41a9c6-41a9ca 345->352 346->321 348 41a9df-41a9e5 346->348 347->281 348->308 349->322 350->316 351->346 352->346 353 41a9cc-41a9d2 352->353 353->346
                APIs
                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041A852
                • LoadLibraryA.KERNELBASE(?), ref: 0041A8CA
                • VirtualProtect.KERNELBASE(?,00000000,00000002,00000000), ref: 0041AAC3
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: Virtual$AllocLibraryLoadProtect
                • String ID:
                • API String ID: 1403325721-0
                • Opcode ID: d0911f3fb7ff9ca4e42fbf98101b4cd6e9d819dc6edbf79a3e30d88375ed4576
                • Instruction ID: ef4b6a8a1ebc269f7ab3534cdc709b0450dfa49abca70d8168f7874471162d93
                • Opcode Fuzzy Hash: d0911f3fb7ff9ca4e42fbf98101b4cd6e9d819dc6edbf79a3e30d88375ed4576
                • Instruction Fuzzy Hash: 88028BB1A016069FDB24CF98C9807EAB7F1FF48310F29446AD951A7391D338ADA2CB55
                Function 00908AA3 Relevance: 24.2, APIs: 16, Instructions: 210networkCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 0090A109: WaitForSingleObject.KERNEL32(?,000000FF,?,00904A00,00000001,00000000,?,009049E4,00000000,00000000,00906503,00000000,00000000,0090798B), ref: 0090A117
                • recv.WS2_32(?,00000000,00000020,00000000), ref: 00908AFE
                • recv.WS2_32(?,?,-000000E4,00000000), ref: 00908B57
                • GetLastError.KERNEL32 ref: 00908B61
                • SetLastError.KERNEL32(00000490), ref: 00908B73
                • SetLastError.KERNEL32(00000000), ref: 00908B7F
                • _memmove.LIBCMT ref: 00908B94
                • htonl.WS2_32(?), ref: 00908BAE
                • _malloc.LIBCMT ref: 00908BC3
                • _memcpy_s.LIBCMT ref: 00908BDF
                • recv.WS2_32(?,00000020,-00000008,00000000), ref: 00908BFE
                • GetLastError.KERNEL32 ref: 00908C0A
                • _memcmp.LIBCMT ref: 00908C56
                • SetLastError.KERNEL32(00000000), ref: 00908C82
                • SetLastError.KERNEL32(00000000), ref: 00908CA2
                • GetLastError.KERNEL32 ref: 00908CA8
                • _free.LIBCMT ref: 00908CB5
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$recv$ObjectSingleWait_free_malloc_memcmp_memcpy_s_memmovehtonl
                • String ID:
                • API String ID: 241723272-0
                • Opcode ID: fb8ec94b6dbabfecbce6e454c57b5ed86ef7541cf4f929c4ba9327b5df6205c3
                • Instruction ID: d5822f791a2784d57d39f238e9e1c35fac9d6f2655a25642a6959c7afe1c1a7f
                • Opcode Fuzzy Hash: fb8ec94b6dbabfecbce6e454c57b5ed86ef7541cf4f929c4ba9327b5df6205c3
                • Instruction Fuzzy Hash: E161A172B00219AFEB209BA8CC85F9F7BBCEF58710F040465FA84E71D1EA70D9519B61
                Function 0090789B Relevance: 21.2, APIs: 14, Instructions: 249threadCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 62 90789b-907909 call 90feb0 call 910150 * 2 call 90a322 call 9110e7 call 91050d call 90a1d1 call 90613a 79 907918-90792e call 905078 62->79 80 90790b 62->80 86 907930-907935 79->86 87 907937 79->87 81 90790d-907913 SetLastError 80->81 83 907b38-907b72 call 90694e call 901109 call 9061a4 call 90feeb 81->83 89 90793b-907952 call 907d11 86->89 87->89 94 907954-907959 89->94 95 90795b-907963 89->95 94->81 97 907965-90796b 95->97 98 90796c-9079ca call 9064fc call 907be8 call 90f7c0 call 912b88 OpenThreadToken 95->98 97->98 112 9079db-9079e4 call 906925 98->112 113 9079cc-9079d5 GetCurrentProcess OpenProcessToken 98->113 116 9079e6-9079e8 112->116 117 9079ed-907a81 call 907b77 GetProcessWindowStation GetUserObjectInformationA call 91028b * 2 GetCurrentThreadId GetThreadDesktop GetUserObjectInformationA call 91028b * 2 call 905078 112->117 113->112 116->81 130 907a84-907a89 117->130 131 907b1e-907b22 130->131 132 907a8f-907a94 130->132 133 907b31-907b37 call 906556 131->133 134 907b24-907b2f call 907cd6 131->134 135 907a96-907a97 call 908e70 132->135 136 907aa9-907abd call 908cd0 132->136 133->83 134->131 140 907a99-907a9c 135->140 144 907ac3-907acb 136->144 145 907abf-907ac2 136->145 140->136 143 907a9e-907aa7 140->143 143->130 146 907ae3-907ae5 144->146 147 907acd-907acf 144->147 145->144 150 907af6-907afc 146->150 151 907ae7-907aec 146->151 148 907ad1-907ad4 147->148 149 907adb 147->149 148->149 153 907ad6-907ad9 148->153 154 907add-907adf call 908e29 149->154 156 907aff-907b03 150->156 151->131 155 907aee-907af4 151->155 153->154 159 907ae1-907ae2 154->159 155->156 157 907b12-907b19 call 905c90 156->157 158 907b05-907b0e call 905035 156->158 157->130 158->157 159->146
                APIs
                • _memset.LIBCMT ref: 009078C3
                • _memset.LIBCMT ref: 009078D7
                  • Part of subcall function 0090A322: LoadLibraryA.KERNEL32(kernel32.dll,009078E4,?,00000000,000000FF,?,00000000,000000FF,009254A0,00000214,00905723,?,00000001,?,?), ref: 0090A327
                  • Part of subcall function 0090A322: GetProcAddress.KERNEL32(00000000,SetThreadErrorMode), ref: 0090A333
                • __time64.LIBCMT ref: 009078E5
                  • Part of subcall function 009110E7: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,009078EA,00000000,?,00000000,000000FF,?,00000000,000000FF,009254A0,00000214,00905723,?), ref: 009110F0
                  • Part of subcall function 009110E7: __aulldiv.LIBCMT ref: 00911110
                  • Part of subcall function 0090A1D1: _malloc.LIBCMT ref: 0090A1DA
                  • Part of subcall function 0090A1D1: _memset.LIBCMT ref: 0090A1F0
                  • Part of subcall function 0090A1D1: GetCurrentThreadId.KERNEL32 ref: 0090A1F8
                  • Part of subcall function 0090A1D1: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000000FF,?,?,?,?,?,?,?,?,?,009078FB), ref: 0090A20D
                  • Part of subcall function 0090A1D1: GetProcAddress.KERNEL32(00000000,OpenThread), ref: 0090A21E
                  • Part of subcall function 0090A1D1: FreeLibrary.KERNEL32(00000000,?,?,000000FF,?,?,?,?,?,?,?,?,?,009078FB), ref: 0090A28D
                  • Part of subcall function 0090613A: _calloc.LIBCMT ref: 0090613F
                • SetLastError.KERNEL32(0000000A), ref: 0090790D
                • _malloc.LIBCMT ref: 0090799F
                • _memcpy_s.LIBCMT ref: 009079AB
                • OpenThreadToken.ADVAPI32(?,000F01FF,00000001,0000001C), ref: 009079C2
                • GetCurrentProcess.KERNEL32(000F01FF,0000001C), ref: 009079CE
                • OpenProcessToken.ADVAPI32(00000000), ref: 009079D5
                • GetProcessWindowStation.USER32(00000002,?,00000100,00000000), ref: 00907A0E
                • GetUserObjectInformationA.USER32(00000000), ref: 00907A1B
                • GetCurrentThreadId.KERNEL32 ref: 00907A49
                • GetThreadDesktop.USER32(00000000), ref: 00907A50
                • GetUserObjectInformationA.USER32(00000000), ref: 00907A57
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Thread$CurrentLibraryProcess_memset$AddressInformationLoadObjectOpenProcTimeTokenUser_malloc$DesktopErrorFileFreeLastStationSystemWindow__aulldiv__time64_calloc_memcpy_s
                • String ID:
                • API String ID: 3017021961-0
                • Opcode ID: b6a1fb5c091152021c5c873b8a73e1e6dda51a4d91dd7aaff9d78bc9b4540077
                • Instruction ID: fb5d13b2ba69d5b84077e9095675523bd1d031c18046932e9c7808f217383559
                • Opcode Fuzzy Hash: b6a1fb5c091152021c5c873b8a73e1e6dda51a4d91dd7aaff9d78bc9b4540077
                • Instruction Fuzzy Hash: 2E81C1B1E08606AFD724AFA4CD85BAAB7ACBF48320F104519F519D7681DB34F950CBA0
                Function 00908E70 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • _mbstowcs_s.LIBCMT ref: 00908EA4
                  • Part of subcall function 00910867: __wcstombs_s_l.LIBCMT ref: 0091087B
                  • Part of subcall function 00905078: GetSystemTime.KERNEL32(?,?,?,?,?,?,00907926), ref: 00905082
                  • Part of subcall function 00905078: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,00907926), ref: 00905090
                  • Part of subcall function 00905078: __aulldiv.LIBCMT ref: 009050B0
                • _strncmp.LIBCMT ref: 00908EBF
                • _strrchr.LIBCMT ref: 00908EE6
                • _strrchr.LIBCMT ref: 00908EFE
                  • Part of subcall function 00913806: __wcstoi64.LIBCMT ref: 00913810
                  • Part of subcall function 009087B2: _memset.LIBCMT ref: 009087D9
                  • Part of subcall function 009087B2: WSAStartup.WS2_32(00000202,?), ref: 009087ED
                  • Part of subcall function 009087B2: WSAGetLastError.WS2_32 ref: 009087F7
                • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00908F6B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Time$System_strrchr$ErrorFileHandleInformationLastStartup__aulldiv__wcstoi64__wcstombs_s_l_mbstowcs_s_memset_strncmp
                • String ID: 6$tcp
                • API String ID: 1158548289-2319321990
                • Opcode ID: d3c630832ca044037bc3faee2b19a4d0939c4c760f77662f0fe5d59ff6f82b61
                • Instruction ID: 4774edbb825318fe0554de47a63b6225af214af2bf9b4be4e3f70c83977dd65b
                • Opcode Fuzzy Hash: d3c630832ca044037bc3faee2b19a4d0939c4c760f77662f0fe5d59ff6f82b61
                • Instruction Fuzzy Hash: 12310C716043057FDB21B770DC4AFABBBBDAF84300F104499F785961C2EE76A5918791
                Function 009086F9 Relevance: 12.1, APIs: 8, Instructions: 63networkCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 201 9086f9-90873b call 910150 WSAStartup 204 908745-90879d socket gethostbyname inet_ntoa inet_addr htons call 9086ae 201->204 205 90873d-908743 WSAGetLastError 201->205 208 9087a2-9087a7 204->208 207 9087ad-9087b1 205->207 209 9087a9 208->209 210 9087ab-9087ac 208->210 209->210 210->207
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastStartup_memsetgethostbynamehtonsinet_addrinet_ntoasocket
                • String ID:
                • API String ID: 2917347708-0
                • Opcode ID: 0ae6b0f948c9263362454962f0490698ab049972b993bbb58bc2575990440fec
                • Instruction ID: 1ff43a1a4967ea559267a786cf351e1b22e04536790afd838da14d498c7eece8
                • Opcode Fuzzy Hash: 0ae6b0f948c9263362454962f0490698ab049972b993bbb58bc2575990440fec
                • Instruction Fuzzy Hash: FB11BE75A10208EFEB21AFA0DC49FEA77BCFF59310F100169F955E61A0EB7189A0DB51
                Function 0090A29B Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 211 90a29b-90a2a4 212 90a2a6-90a2a8 211->212 213 90a2aa-90a2b7 call 90f7c0 211->213 214 90a31f-90a321 212->214 217 90a318-90a31a 213->217 218 90a2b9-90a2d1 call 910150 call 90a133 213->218 220 90a31e 217->220 224 90a2d3-90a2d8 call 90f788 218->224 225 90a2da-90a306 CreateThread 218->225 220->214 231 90a317 224->231 227 90a308-90a316 call 90a173 call 90f788 225->227 228 90a31c 225->228 227->231 228->220 231->217
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free_malloc_memset
                • String ID:
                • API String ID: 2338540524-0
                • Opcode ID: 5e55a3ba7b43d4a654d5bf8ee0161bf1aab17aeac0ed3151b8c8200ede89f32f
                • Instruction ID: 3e6ed7fa0224cdef5730bb920786a1111fe39bf8adabbeeb7e1bd51d6044437d
                • Opcode Fuzzy Hash: 5e55a3ba7b43d4a654d5bf8ee0161bf1aab17aeac0ed3151b8c8200ede89f32f
                • Instruction Fuzzy Hash: 6701D632684701AFD3309F659C01F5B7BE89F54750F104429F515DA6C6E770D90197D3
                Function 0090A0B7 Relevance: 4.5, APIs: 3, Instructions: 23synchronizationCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 354 90a0b7-90a0c4 call 90f7c0 357 90a0e1-90a0e4 354->357 358 90a0c6-90a0e0 call 910150 CreateMutexW 354->358 358->357
                APIs
                • _malloc.LIBCMT ref: 0090A0BA
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _memset.LIBCMT ref: 0090A0CD
                • CreateMutexW.KERNELBASE(00000000,00000000,00000000,0090614D,00000000,00907905), ref: 0090A0D8
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AllocateCreateHeapMutex_malloc_memset
                • String ID:
                • API String ID: 2746245553-0
                • Opcode ID: 4064bceeb0053108efdeb974fc6cbde3d268aa450f18a2b7767863dd501ea82d
                • Instruction ID: 14e0206486e43af3c0d2823b31722992bfe31d5d84ded4458e4815cdb4ac93d2
                • Opcode Fuzzy Hash: 4064bceeb0053108efdeb974fc6cbde3d268aa450f18a2b7767863dd501ea82d
                • Instruction Fuzzy Hash: C0D05E76A092617AD23126667C0DF4B5E6CCFD3F20F01012DF60496281D9600982C1E2
                Function 00901052 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 361 901052-90105d call 90f7c0 363 901062-901067 361->363 364 901069-90106c 363->364 365 90106e-901082 call 90f860 363->365 366 9010a4-9010a7 364->366 369 901084-90108a 365->369 370 90108f-90109e 365->370 369->370 370->366
                APIs
                • _malloc.LIBCMT ref: 0090105D
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _memmove.LIBCMT ref: 00901073
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap_malloc_memmove
                • String ID:
                • API String ID: 3795339465-0
                • Opcode ID: 634a5aa5054b532fc9d465c6eec5a2b623e245f2e40ad32eb118b7a01fcd7308
                • Instruction ID: e2912c42bf7933dbe5f44b978c4c3a2cb0897e6328a154a71544e0236e7d18f6
                • Opcode Fuzzy Hash: 634a5aa5054b532fc9d465c6eec5a2b623e245f2e40ad32eb118b7a01fcd7308
                • Instruction Fuzzy Hash: D9F0A737A247145FC3309B25D901B977BADEF85B60F00043AF589C7581C3705811C7D2
                Function 009086AE Relevance: 3.0, APIs: 2, Instructions: 28networkCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 371 9086ae-9086b8 call 905078 374 9086ba-9086d3 call 905078 connect 371->374 377 9086f3-9086f8 374->377 378 9086d5-9086e8 call 905035 call 905078 374->378 378->374 383 9086ea-9086ed closesocket 378->383 383->377
                APIs
                  • Part of subcall function 00905078: GetSystemTime.KERNEL32(?,?,?,?,?,?,00907926), ref: 00905082
                  • Part of subcall function 00905078: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,00907926), ref: 00905090
                  • Part of subcall function 00905078: __aulldiv.LIBCMT ref: 009050B0
                • connect.WS2_32(?,?,?), ref: 009086C8
                  • Part of subcall function 00905035: Sleep.KERNEL32(FFFFFED8,00000000,00000000,?,00907B0D,?), ref: 00905058
                  • Part of subcall function 00905035: Sleep.KERNEL32(?,00000000,?,00907B0D,?), ref: 0090506F
                • closesocket.WS2_32(?), ref: 009086ED
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Time$SleepSystem$File__aulldivclosesocketconnect
                • String ID:
                • API String ID: 3714606903-0
                • Opcode ID: fdd4ef454b507aa271a5ffd3c22880d0dba46f7266b45296c8998d1dc874ffb0
                • Instruction ID: 73f4deff4f387f3ffa996fe66a17b2be02486934cf1c71ea6717f0381c269b56
                • Opcode Fuzzy Hash: fdd4ef454b507aa271a5ffd3c22880d0dba46f7266b45296c8998d1dc874ffb0
                • Instruction Fuzzy Hash: F6E0E532500519AFCF113F75EC0989F7F7AAF953B1B024625F918961F1CA32C9A2ABD4
                Function 00908DF1 Relevance: 3.0, APIs: 2, Instructions: 26networkCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 384 908df1-908dfc 385 908e00-908e11 recv 384->385 386 908e13-908e1b closesocket call 90a3b2 385->386 387 908dfe 385->387 389 908e20-908e26 386->389 387->385 387->386
                APIs
                • recv.WS2_32(?,?,00000004,00000000), ref: 00908E09
                • closesocket.WS2_32(?), ref: 00908E14
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: closesocketrecv
                • String ID:
                • API String ID: 485150354-0
                • Opcode ID: 36ceda8f04d523e70b92fc69979b38effa6a30b6c81d69f1c0114b318829af57
                • Instruction ID: b30311400bfc39f03dbdc499c4c7921427b348456e6e30dff046c45a36395cba
                • Opcode Fuzzy Hash: 36ceda8f04d523e70b92fc69979b38effa6a30b6c81d69f1c0114b318829af57
                • Instruction Fuzzy Hash: 77E08632314218BFD7206B55EC05FAB776DEF51760F004025FB00D61D1DB24E95196E9
                Function 00908A39 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 390 908a39-908aa2 call 90a109 select call 90a11f
                APIs
                  • Part of subcall function 0090A109: WaitForSingleObject.KERNEL32(?,000000FF,?,00904A00,00000001,00000000,?,009049E4,00000000,00000000,00906503,00000000,00000000,0090798B), ref: 0090A117
                • select.WS2_32(?,?,00000000,00000000,?), ref: 00908A8A
                  • Part of subcall function 0090A11F: ReleaseMutex.KERNEL32(00000000,?,0090A0F6,00000000,00000000,?,0090617A,00000000,00000000,00907905), ref: 0090A12B
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: MutexObjectReleaseSingleWaitselect
                • String ID:
                • API String ID: 3242039827-0
                • Opcode ID: c126464a2791d9cf87c78a0cdb86b1ec588ffc0a487c7b7dd6bd5003bd8a207d
                • Instruction ID: d80df97a8f147b55183c921f822fbc89c1a283c0c43e7d263adbe14aceb15410
                • Opcode Fuzzy Hash: c126464a2791d9cf87c78a0cdb86b1ec588ffc0a487c7b7dd6bd5003bd8a207d
                • Instruction Fuzzy Hash: AD011D76914118AFCB14DF58E8459D9FBF8EF18310F10429AF948D3340D671A9908FD4
                Function 00908E29 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 395 908e29-908e31 396 908e33-908e36 395->396 397 908e6e-908e6f 395->397 396->397 398 908e38-908e3f 396->398 399 908e41-908e45 398->399 400 908e6a-908e6d 398->400 401 908e51-908e62 call 90a29b call 90a344 399->401 402 908e47-908e4f closesocket 399->402 400->397 406 908e67 401->406 402->400 406->400
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: closesocket
                • String ID:
                • API String ID: 2781271927-0
                • Opcode ID: 5b39ac96ab98e030b8cacac9c5c4dd254382a5878ae074688a1b6d8147ce804c
                • Instruction ID: d2e045bf45f192341c67cf92061feb5f11dc408522ed10219295c028056c2391
                • Opcode Fuzzy Hash: 5b39ac96ab98e030b8cacac9c5c4dd254382a5878ae074688a1b6d8147ce804c
                • Instruction Fuzzy Hash: 7FF03970600315EFDF212E49C805B5A73ACAF10B51F240469F584A60E1DBB5A8A0DA91
                Function 0090A344 Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 407 90a344-90a34c 408 90a350-90a35d ResumeThread 407->408 409 90a34e-90a34f 407->409
                APIs
                • ResumeThread.KERNELBASE(570875FF,?,009011BE,00000000), ref: 0090A353
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ResumeThread
                • String ID:
                • API String ID: 947044025-0
                • Opcode ID: 69a1ed0a4720a084d40e31e5ed85394e3a9facbf1f3cadeab0e244380bf1f9bb
                • Instruction ID: 5e0b18458e3f14bc150d82aacb6678a99d02575099ddf462f6e38c54c5ad1f7c
                • Opcode Fuzzy Hash: 69a1ed0a4720a084d40e31e5ed85394e3a9facbf1f3cadeab0e244380bf1f9bb
                • Instruction Fuzzy Hash: C3C08C322A420C8FCB005BA8EC06C217BDC9B046093048060F40CCA420E722E8606580

                Non-executed Functions

                Function 009025C8 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 264threadinjectionmemoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 009049B9: _malloc.LIBCMT ref: 009049BC
                • VirtualAllocEx.KERNEL32(?,6B0095F0,00002000,00003000,00000040,00000000,00000000,00000000), ref: 00902684
                • VirtualQueryEx.KERNEL32(?,00000000,00000000,0000001C), ref: 0090269D
                • _malloc.LIBCMT ref: 009026AE
                • _memset.LIBCMT ref: 009026C7
                • WriteProcessMemory.KERNEL32(?,?,00000000,?,00000000), ref: 009026D9
                • WriteProcessMemory.KERNEL32(?,?,?,00000012,00000000), ref: 009026FA
                • _free.LIBCMT ref: 00902709
                • LoadLibraryA.KERNEL32(ntdll), ref: 00902714
                • GetProcAddress.KERNEL32(00000000,NtQueueApcThread), ref: 0090272B
                • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00902740
                • GetLastError.KERNEL32(00000004,00000000), ref: 0090274E
                • Thread32First.KERNEL32(00000000,0000001C), ref: 0090275E
                • VirtualAllocEx.KERNEL32(?,00000000,00000130,00003000,00000040,00000004,00000000), ref: 00902778
                • WriteProcessMemory.KERNEL32(?,00000000,009281C0,00000144,00000000), ref: 00902796
                • WriteProcessMemory.KERNEL32(?,?,?,00000014,00000000), ref: 009027AC
                • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 009027C8
                • SuspendThread.KERNEL32(00000000), ref: 009027D5
                • CloseHandle.KERNEL32(00000000), ref: 00902801
                • Thread32Next.KERNEL32(00000000,0000001C), ref: 0090280C
                • SetLastError.KERNEL32(0000000A,00000000,00000000,00000000), ref: 00902819
                • GetLastError.KERNEL32 ref: 0090281F
                • Sleep.KERNEL32(000007D0), ref: 00902859
                • ResumeThread.KERNEL32(00000000), ref: 00902872
                • CloseHandle.KERNEL32(00000000), ref: 00902879
                • CloseHandle.KERNEL32(?), ref: 0090289E
                • FreeLibrary.KERNEL32(00000002), ref: 009028AC
                • SetLastError.KERNEL32(00000005,00000000,00000000), ref: 009028B3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastMemoryProcessWrite$CloseHandleThreadVirtual$AllocLibraryThread32_malloc$AddressCreateFirstFreeLoadNextOpenProcQueryResumeSleepSnapshotSuspendToolhelp32_free_memset
                • String ID: NtQueueApcThread$ntdll
                • API String ID: 3396850899-1374908105
                • Opcode ID: f91517281847ea02d04f7b1dabf22ddbf0263e456491f68dbe3b2e57a7fc6114
                • Instruction ID: 211a949062e81a73b67d533dfa2629f8f38b82d7890660bd9b80647789c2d017
                • Opcode Fuzzy Hash: f91517281847ea02d04f7b1dabf22ddbf0263e456491f68dbe3b2e57a7fc6114
                • Instruction Fuzzy Hash: D891C33594031AEFEF219FA4DC49BAE7BBDBF54700F148029FA00B61D1DB7099529BA1
                Function 00901BAC Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 270COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00901C47
                • OpenProcessToken.ADVAPI32(00000000), ref: 00901C4E
                • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00901C7A
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 00901C8F
                • CloseHandle.KERNEL32(?), ref: 00901C98
                • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00901CA7
                • GetLastError.KERNEL32 ref: 00901CB3
                • _free.LIBCMT ref: 00901E33
                • CloseHandle.KERNEL32(00000000), ref: 00901E57
                • CloseHandle.KERNEL32(?), ref: 00901E65
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandleProcess$OpenToken$AdjustCurrentErrorLastLookupPrivilegePrivilegesValue_free
                • String ID: SeDebugPrivilege
                • API String ID: 3722413835-2896544425
                • Opcode ID: ca2c6f05e85b5a2b5efafc59ae5fd610b62409bbb0bfe5da30aadc7cf52d3074
                • Instruction ID: ab685fd48f1d181c0f3c1a447926f1c46b47eefdcaaf805155ce6f179d34eba0
                • Opcode Fuzzy Hash: ca2c6f05e85b5a2b5efafc59ae5fd610b62409bbb0bfe5da30aadc7cf52d3074
                • Instruction Fuzzy Hash: DC912672D40229AFDB219BA5CD49FEFBBBCEF48750F144025FA04E6290D7349A51DBA0
                Function 00905910 Relevance: 31.7, APIs: 21, Instructions: 182encryptionCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 009050FA: __time64.LIBCMT ref: 00905108
                  • Part of subcall function 009050FA: _rand.LIBCMT ref: 00905121
                  • Part of subcall function 009050FA: _rand.LIBCMT ref: 00905135
                  • Part of subcall function 009050FA: _rand.LIBCMT ref: 00905142
                  • Part of subcall function 009050FA: _rand.LIBCMT ref: 0090514F
                • _memcpy_s.LIBCMT ref: 0090593C
                • CryptDuplicateKey.ADVAPI32(?,00000000,00000000,?,?,?,?,?,00000001,?,?,00903DDF,?,?,?,?), ref: 0090596C
                • GetLastError.KERNEL32(?,?,?,?,00000001,?,?,00903DDF,?), ref: 00905976
                • CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,?,?,?,?,00000001,?,?,00903DDF,?), ref: 0090599B
                • CryptGenRandom.ADVAPI32(?,00000010,?,?,?,?,?,00000001,?,?,00903DDF,?), ref: 009059AC
                • GetLastError.KERNEL32(?,?,?,?,00000001,?,?,00903DDF,?), ref: 009059BC
                • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000,?,?,?,?,00000001,?,?,00903DDF,?), ref: 009059CC
                • GetLastError.KERNEL32(?,?,?,?,00000001,?,?,00903DDF,?), ref: 009059D2
                • htonl.WS2_32(00000001), ref: 009059D8
                • _memcpy_s.LIBCMT ref: 00905A17
                • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,-00000010,00903DDF,?,?,?,?,?,?,?,?,?,?), ref: 00905A2D
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,?,?,00903DDF,?), ref: 00905A37
                • htonl.WS2_32(-00000018), ref: 00905A4D
                • _memcpy_s.LIBCMT ref: 00905A61
                • _memcpy_s.LIBCMT ref: 00905A71
                • _malloc.LIBCMT ref: 009059EF
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _malloc.LIBCMT ref: 00905A96
                • htonl.WS2_32(00000000), ref: 00905AA5
                • _memcpy_s.LIBCMT ref: 00905AB4
                • _memcpy_s.LIBCMT ref: 00905AC6
                • CryptDestroyKey.ADVAPI32(00000000,?,?,?,?,?,?,?,00000001,?,?,00903DDF,?,?,?), ref: 00905AF2
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Crypt_memcpy_s$ErrorLast_rand$htonl$Param_malloc$AllocateDestroyDuplicateEncryptHeapRandom__time64
                • String ID:
                • API String ID: 2310265568-0
                • Opcode ID: eabfd005374be97e80dfd8534ab6a81ed2b0abb1102d165ab50fb2aa66cba965
                • Instruction ID: b43a2b4d394626948b6828c1987a6999c4a890474b12ebacb1bec843b469edcf
                • Opcode Fuzzy Hash: eabfd005374be97e80dfd8534ab6a81ed2b0abb1102d165ab50fb2aa66cba965
                • Instruction Fuzzy Hash: 26616CB1A40209EFDB109FA4CC85FAA7BB9FF48310F154155F908AB291D771E9A1DFA0
                Function 00905CD1 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 151encryptionCOMMON
                Download Yara Rule
                APIs
                • CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00008000,00000000,?,?), ref: 00905D16
                • GetLastError.KERNEL32 ref: 00905D20
                • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000), ref: 00905D44
                • CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,00000008), ref: 00905D58
                • CryptImportPublicKeyInfo.CRYPT32(?,00000001,?,00006610), ref: 00905D6A
                • CryptEncrypt.ADVAPI32(00006610,00000000,00000001,00000000,00000000,?,?), ref: 00905D8F
                • _calloc.LIBCMT ref: 00905D96
                • _free.LIBCMT ref: 00905E1D
                • LocalFree.KERNEL32(00000000,00000000,00000000,?), ref: 00905E2C
                • CryptDestroyKey.ADVAPI32(00000000,00000000,00000000,?), ref: 00905E3B
                • CryptReleaseContext.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 00905E4C
                Strings
                • Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00905D34
                • Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00905D4E
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Crypt$Context$Acquire$DecodeDestroyEncryptErrorFreeImportInfoLastLocalObjectPublicRelease_calloc_free
                • String ID: Microsoft Enhanced Cryptographic Provider v1.0$Microsoft Enhanced Cryptographic Provider v1.0
                • API String ID: 1372360500-947817771
                • Opcode ID: 64e630ea0047c7794002bddb9fd4281845e9526bf3078b41ef8c50561cf06947
                • Instruction ID: 9e4f939824ca59574180bdbcf654c9abf4cc8d8f41e100baceb48838a3d2462d
                • Opcode Fuzzy Hash: 64e630ea0047c7794002bddb9fd4281845e9526bf3078b41ef8c50561cf06947
                • Instruction Fuzzy Hash: 77517975A44609BFDF218F94CC84BEFBBBDAB08740F118065BA04AA1D0D7719E90DFA0
                Function 0090579E Relevance: 21.1, APIs: 14, Instructions: 139encryptionCOMMON
                Download Yara Rule
                APIs
                • _calloc.LIBCMT ref: 009057C2
                  • Part of subcall function 00910021: __calloc_impl.LIBCMT ref: 00910034
                • htonl.WS2_32(?), ref: 009057DB
                • htonl.WS2_32(?), ref: 00905803
                • CryptDuplicateKey.ADVAPI32(?,00000000,00000000,?), ref: 0090581E
                • GetLastError.KERNEL32 ref: 00905828
                • CryptDestroyKey.ADVAPI32(00000000), ref: 00905901
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Crypthtonl$DestroyDuplicateErrorLast__calloc_impl_calloc
                • String ID:
                • API String ID: 3044516756-0
                • Opcode ID: 2567fea74b4cd364d7fe95f241d84ada4761557c42ae771ea5fcbb9f42f3bcf1
                • Instruction ID: a4a0a1886c2d40ea75382767769c819bb64ff9dd3d122a9be5ad58eefede2e2c
                • Opcode Fuzzy Hash: 2567fea74b4cd364d7fe95f241d84ada4761557c42ae771ea5fcbb9f42f3bcf1
                • Instruction Fuzzy Hash: B3413771600609EFDB209F68DC85EAB7BACFF58310B144169FD08D6291DB31DA61DBA0
                Function 004096C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 139COMMON
                Download Yara Rule
                APIs
                • GetFileInformationByHandle.KERNEL32(?,?,00000003,?,?,00000060,?,?,?,00404755,?,?,00000001,00000FFF,?), ref: 004096D9
                • DeviceIoControl.KERNEL32(?,000900C4,00000000,00000000,00000000,00000000,00000000,?), ref: 00409724
                • GetLastError.KERNEL32(?,?,?,00404755,?,?,00000001,00000FFF,?), ref: 0040973C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ControlDeviceErrorFileHandleInformationLast
                • String ID: CancelIo
                • API String ID: 3565310562-2988344177
                • Opcode ID: 5b4297dcc28b15ba0e0f3558a64750a58f09f599b388f21b852e9bef90daabf7
                • Instruction ID: 3e939fd83af9fc51f0f6c84d4415395016cc3e490bdac680781bafe8d471883f
                • Opcode Fuzzy Hash: 5b4297dcc28b15ba0e0f3558a64750a58f09f599b388f21b852e9bef90daabf7
                • Instruction Fuzzy Hash: 01418072760205EBE720DF65DC81B6B73A8EB84714F04867BED09E77C1D678EC018A98
                Function 004070D0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _isctype$strncmp
                • String ID: $%$I64d
                • API String ID: 1540279034-4085867986
                • Opcode ID: 57bee6e5013779966081a9f1aa070e5e68e0e3fafd60283fa721bb66dd656735
                • Instruction ID: eefe65c54441297a669a388be7fcce8e2ddf0ff82c1c4b1b7305ffde71ed2eab
                • Opcode Fuzzy Hash: 57bee6e5013779966081a9f1aa070e5e68e0e3fafd60283fa721bb66dd656735
                • Instruction Fuzzy Hash: 1BB1C670D08285CFDB14CF68C8906AEBBB1BF85304F24417BD851AB391D778A952DF56
                Function 0090828E Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 91pipeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0090770B: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,009077B7,SeSecurityPrivilege,00000001,?,?,00000000,?), ref: 00907717
                  • Part of subcall function 0090770B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,009077B7,SeSecurityPrivilege,00000001,?,?,00000000,?), ref: 0090771E
                  • Part of subcall function 0090770B: GetLastError.KERNEL32(?,?,?,?,?,009077B7,SeSecurityPrivilege,00000001,?,?,00000000,?,?,?,?,?), ref: 00907728
                • CreateNamedPipeW.KERNEL32(?,00000003,00000000,000000FF,00010000,00010000,00000000,?), ref: 009082E6
                • GetLastError.KERNEL32 ref: 009082EA
                • CreateNamedPipeW.KERNEL32(?,00000003,00000000,000000FF,00010000,00010000,00000000,00000000), ref: 00908323
                • GetLastError.KERNEL32 ref: 00908327
                  • Part of subcall function 00907604: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,762322C0), ref: 00907632
                  • Part of subcall function 00907604: SetEntriesInAclW.ADVAPI32(00000001,?,00000000,?,?), ref: 00907676
                  • Part of subcall function 00907604: AllocateAndInitializeSid.ADVAPI32(?,00000001,00001000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,009077D9), ref: 0090769E
                  • Part of subcall function 00907604: LocalAlloc.KERNEL32(00000040,00000100), ref: 009076AE
                  • Part of subcall function 00907604: InitializeAcl.ADVAPI32(00000000,00000100,00000004), ref: 009076B6
                  • Part of subcall function 00907604: LocalAlloc.KERNEL32(00000040,00000014,00000000,00000004,00000004,00000000,009077D9), ref: 009076D0
                  • Part of subcall function 00907604: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 009076D7
                  • Part of subcall function 00907604: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 009076E4
                  • Part of subcall function 00907604: SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 009076EF
                • ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 0090833D
                • GetLastError.KERNEL32 ref: 00908347
                • CloseHandle.KERNEL32(00000000), ref: 00908368
                  • Part of subcall function 0090770B: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 00907739
                  • Part of subcall function 0090770B: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,?,00000000), ref: 00907776
                  • Part of subcall function 0090770B: CloseHandle.KERNEL32(?), ref: 00907790
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorInitializeLast$DescriptorNamedPipeSecurity$AllocAllocateCloseCreateHandleLocalProcessToken$AdjustConnectCurrentDaclEntriesLookupOpenPrivilegePrivilegesSaclValue
                • String ID: SeSecurityPrivilege$SeSecurityPrivilege
                • API String ID: 139426882-1340523147
                • Opcode ID: 1de65c5534066b008c389e7c8b78a5bbd0729c1a08fca0dc216e0c3e49cab734
                • Instruction ID: c7c3317a0daf901c92422aeab4d31524830dcda1c54aa3e4bdf854323554ac4b
                • Opcode Fuzzy Hash: 1de65c5534066b008c389e7c8b78a5bbd0729c1a08fca0dc216e0c3e49cab734
                • Instruction Fuzzy Hash: 84210831A40129BEDB30A7A59C45FEF7B6CEF81BA0F100121F958E61D1DA7099819AE4
                Function 00406B10 Relevance: 13.7, APIs: 9, Instructions: 193timeCOMMON
                Download Yara Rule
                APIs
                • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00406B69
                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00406B7B
                • SystemTimeToFileTime.KERNEL32(?,00402FCF,00402FCF,?,000F4240,00000000), ref: 00406BA9
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00406BC2
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00406BDA
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00406BED
                • FileTimeToLocalFileTime.KERNEL32(?,00402FCF,-48461031,?,0000000A,00000000,?,00000000,?), ref: 00406C41
                • FileTimeToSystemTime.KERNEL32(00402FCF,?), ref: 00406C4F
                • GetTimeZoneInformation.KERNEL32(?,00402FCF,?,000F4240,00000000), ref: 00406C7C
                  • Part of subcall function 00406D10: GetTimeZoneInformation.KERNEL32(00410440,?,00406B5E,00000000,-48461031,?,0000000A,00000000,?,00000000,?), ref: 00406D21
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: Time$File$System$Unothrow_t@std@@@__ehfuncinfo$??2@$InformationLocalZone$Specific
                • String ID:
                • API String ID: 3622107965-0
                • Opcode ID: 1f7ed89566010cc1e9d43ea2b95156d316337c3de510c96baad5095354ff3cf3
                • Instruction ID: f768c43612ade8e4aa87fc50379748b2922fab9fddd5b7b771dcf40895142d94
                • Opcode Fuzzy Hash: 1f7ed89566010cc1e9d43ea2b95156d316337c3de510c96baad5095354ff3cf3
                • Instruction Fuzzy Hash: 6051CA71A00119AFDB18DF65DC85EAF77B9EB88304F10866EF906FB285E670AD04C794
                Function 00907604 Relevance: 13.6, APIs: 9, Instructions: 108memoryCOMMON
                Download Yara Rule
                APIs
                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,762322C0), ref: 00907632
                • SetEntriesInAclW.ADVAPI32(00000001,?,00000000,?,?), ref: 00907676
                • AllocateAndInitializeSid.ADVAPI32(?,00000001,00001000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,009077D9), ref: 0090769E
                • LocalAlloc.KERNEL32(00000040,00000100), ref: 009076AE
                • InitializeAcl.ADVAPI32(00000000,00000100,00000004), ref: 009076B6
                  • Part of subcall function 0090729A: LoadLibraryA.KERNEL32(advapi32.dll,?,009076CC,00000000,00000004,00000004,00000000,009077D9), ref: 009072B5
                  • Part of subcall function 0090729A: GetProcAddress.KERNEL32(00000000,AddMandatoryAce), ref: 009072C5
                • LocalAlloc.KERNEL32(00000040,00000014,00000000,00000004,00000004,00000000,009077D9), ref: 009076D0
                • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 009076D7
                • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 009076E4
                • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 009076EF
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Initialize$DescriptorSecurity$AllocAllocateLocal$AddressDaclEntriesLibraryLoadProcSacl
                • String ID:
                • API String ID: 2917215309-0
                • Opcode ID: 226b5a4fffa8455a81525bfc181efbd3d79cd99620294d9024cfd3071a8a7a84
                • Instruction ID: 31efb4226a333eccdd91d52f714cf4700b60ca8c32707e2565dedc7e861f0819
                • Opcode Fuzzy Hash: 226b5a4fffa8455a81525bfc181efbd3d79cd99620294d9024cfd3071a8a7a84
                • Instruction Fuzzy Hash: 983103B1D4020CBEEB10CF94DC85FEEBBBCEB08754F10406AFA04B6290D7B55A418BA5
                Function 00902AC6 Relevance: 12.1, APIs: 8, Instructions: 123memoryCOMMON
                Download Yara Rule
                APIs
                • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 00902B13
                • GetLastError.KERNEL32 ref: 00902B1F
                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000004), ref: 00902B43
                • GetLastError.KERNEL32 ref: 00902B4F
                • CloseHandle.KERNEL32(00000000), ref: 00902BEC
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$AllocCloseHandleOpenProcessVirtual
                • String ID:
                • API String ID: 1758641474-0
                • Opcode ID: 2c3237427e929b6d9c1d4fa9a38930c5161f7627207d0bfea741368e5e78e527
                • Instruction ID: e4217f7af5e0e56534f2770c54b1bbb19bdb447734cfb9245078da5e901e8f4b
                • Opcode Fuzzy Hash: 2c3237427e929b6d9c1d4fa9a38930c5161f7627207d0bfea741368e5e78e527
                • Instruction Fuzzy Hash: FC31BE3264421AFFDF315F918C49FAB7BACEF46B90F104019FE04AA1D0D6709C51ABA5
                Function 00409C80 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177memoryCOMMON
                Download Yara Rule
                APIs
                • AllocateAndInitializeSid.ADVAPI32(00409C60,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00410684,?,?,00000000,?,?), ref: 00409CD9
                • SetLastError.KERNEL32(00000001,?,?,00000000,?,?,?), ref: 00409DC8
                • SetLastError.KERNEL32(00000001,?,?,00000000,?,?,?), ref: 00409DD2
                • SetLastError.KERNEL32(00000001,?,?,00000000,?,?,?), ref: 00409E74
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$AllocateInitialize
                • String ID: W@$GetEffectiveRightsFromAclW
                • API String ID: 866321161-2553180354
                • Opcode ID: fbef195182be7dbf8cfc14502354f37206fc78d51f41bd26b1983f5372ee90dd
                • Instruction ID: 13e6f3467d2bc116686ee1f056e483cd005715f687a932f7b4b7ccbb46668c95
                • Opcode Fuzzy Hash: fbef195182be7dbf8cfc14502354f37206fc78d51f41bd26b1983f5372ee90dd
                • Instruction Fuzzy Hash: 6C5151B0A40205AFDB20DF58D8C1BAF77A5AB54304F14843EE51AA72C2D7799D84CBA9
                Function 00905B01 Relevance: 10.6, APIs: 7, Instructions: 141encryptionCOMMON
                Download Yara Rule
                APIs
                • _calloc.LIBCMT ref: 00905B29
                  • Part of subcall function 00905C90: CryptDestroyKey.ADVAPI32(?,00907B48,?,009061B1,00907B48,7693BD50,?,00907B48,00000000), ref: 00905CA7
                  • Part of subcall function 00905C90: CryptReleaseContext.ADVAPI32(10E015FF,00000000,00907B48,?,009061B1,00907B48,7693BD50,?,00907B48,00000000), ref: 00905CB9
                  • Part of subcall function 00905C90: _free.LIBCMT ref: 00905CC2
                • CryptAcquireContextW.ADVAPI32(00000000,00000000,00928618,00000018,00000000), ref: 00905B5D
                • GetLastError.KERNEL32 ref: 00905B67
                • CryptGenRandom.ADVAPI32(00000000,00000020,0000001C), ref: 00905BAE
                • CryptImportKey.ADVAPI32(00000000,00000010,0000002C,00000000,00000000,00000004), ref: 00905BC5
                • GetLastError.KERNEL32 ref: 00905BCF
                • _free.LIBCMT ref: 00905C42
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Crypt$ContextErrorLast_free$AcquireDestroyImportRandomRelease_calloc
                • String ID:
                • API String ID: 1247967341-0
                • Opcode ID: 6f99b24b6a1a3638a4f78832175e30916b4445f0d364fc15c79a77cb24926fc7
                • Instruction ID: 6868239efeadfb6c8e08f947b3eadd85625dd577ab9ed7f7fa3e6240c785267d
                • Opcode Fuzzy Hash: 6f99b24b6a1a3638a4f78832175e30916b4445f0d364fc15c79a77cb24926fc7
                • Instruction Fuzzy Hash: 5F41F271900714BFEB249F64CC49FAEBBB9EF44710F108459F908AA191D771AEA0DF94
                Function 0090770B Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,009077B7,SeSecurityPrivilege,00000001,?,?,00000000,?), ref: 00907717
                • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,009077B7,SeSecurityPrivilege,00000001,?,?,00000000,?), ref: 0090771E
                • GetLastError.KERNEL32(?,?,?,?,?,009077B7,SeSecurityPrivilege,00000001,?,?,00000000,?,?,?,?,?), ref: 00907728
                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 00907739
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,?,00000000), ref: 00907776
                • CloseHandle.KERNEL32(?), ref: 00907790
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                • String ID:
                • API String ID: 3398352648-0
                • Opcode ID: 49277aa9bb6cb815198a300b4c0388f9a7d208825081119734566bff84c27f37
                • Instruction ID: 83bf50683ee64d514d897b4a215ebc58bae077f17a97fa3b876f94ff01b30398
                • Opcode Fuzzy Hash: 49277aa9bb6cb815198a300b4c0388f9a7d208825081119734566bff84c27f37
                • Instruction Fuzzy Hash: 48114575A54208AFDB10CFE4CC49BFEBBFCFB08341F000425EA05E6290E735AA559B61
                Function 0040A720 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 171COMMON
                Download Yara Rule
                APIs
                • GetVersionExA.KERNEL32(004107F8,?,?,?,00405F49,?), ref: 0040A741
                • _isctype.MSVCRT ref: 0040A77A
                • atoi.MSVCRT(0041080C,?,?,?,00405F49,?), ref: 0040A7D2
                • _isctype.MSVCRT ref: 0040A8B7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _isctype$Versionatoi
                • String ID: I_@
                • API String ID: 360680596-3421859670
                • Opcode ID: af4aff7534a77a33defcaa862ad40fe4b827b1faaf989ef55baef6d0aa869133
                • Instruction ID: e44e724456581220f9f3eb0f89e9ce8180b0e551fc54c68c799f1b0576f17104
                • Opcode Fuzzy Hash: af4aff7534a77a33defcaa862ad40fe4b827b1faaf989ef55baef6d0aa869133
                • Instruction Fuzzy Hash: F551E175A083418BEB20AB2489547B633A19B46300F25C977D982FB3D5D23CD9A38B5F
                Function 009088C8 Relevance: 7.5, APIs: 5, Instructions: 33networkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastacceptbindclosesocketlisten
                • String ID:
                • API String ID: 3590725066-0
                • Opcode ID: 6e924550e6d8feba1c1c8bbe69d9029c44a141fc8b18cdd595bbfcb5f865bb8f
                • Instruction ID: 558a56f3c098ddaafbc675563dbb7b1ca8d8fc8b00024d3b69c1fc8db49c91e4
                • Opcode Fuzzy Hash: 6e924550e6d8feba1c1c8bbe69d9029c44a141fc8b18cdd595bbfcb5f865bb8f
                • Instruction Fuzzy Hash: 12F0BD34615018EFCB211F65EC4C89A7E69EF153B1B508611FD39D52F0DB319D72AB90
                Function 00904F7E Relevance: 6.1, APIs: 4, Instructions: 66injectionmemorythreadCOMMON
                Download Yara Rule
                APIs
                • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000004,00925470,00000010), ref: 00904FCB
                • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 00904FDF
                • VirtualProtectEx.KERNEL32(?,?,?,00000020,00000000), ref: 00904FF2
                • CreateRemoteThread.KERNEL32(?,00000000,00100000,?,?,00000000,?), ref: 00905011
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Virtual$AllocCreateMemoryProcessProtectRemoteThreadWrite
                • String ID:
                • API String ID: 1113946311-0
                • Opcode ID: f26225b353cee60f09940ba5c5b7c5f1aee066d5c9d5cb15c540d995e5ecc713
                • Instruction ID: f1238941422c85f05022265569de3e868d5d99dce6418b6f639ec0bd98786c8c
                • Opcode Fuzzy Hash: f26225b353cee60f09940ba5c5b7c5f1aee066d5c9d5cb15c540d995e5ecc713
                • Instruction Fuzzy Hash: D811467160061ABFDB318F65DC85FAF3A7CEF48B90F018119BA18A61D1CB709911DFA0
                Function 00408B40 Relevance: 4.6, APIs: 3, Instructions: 55networkCOMMON
                Download Yara Rule
                APIs
                • WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 00408B7C
                • WSAGetLastError.WSOCK32 ref: 00408B8E
                • WSAGetLastError.WSOCK32 ref: 00408B9E
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$Recv
                • String ID:
                • API String ID: 3000205240-0
                • Opcode ID: 6744492262c5ce8d26d4a084f7b205447c6b8b9cc931996caabdd27e42bbb9d9
                • Instruction ID: 8aa1ee1d6ec978486d32d59d971503ef31e8af1e2e674fecaa2e91ad41fd1a53
                • Opcode Fuzzy Hash: 6744492262c5ce8d26d4a084f7b205447c6b8b9cc931996caabdd27e42bbb9d9
                • Instruction Fuzzy Hash: 21113C72A40209ABD710DFA8DD41BEEB7F8EB54320F10466EE954D7380E6B5AA508B90
                Function 0040A940 Relevance: 4.5, APIs: 3, Instructions: 35libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(?,00000000,?,00405D79,00000004,CommandLineToArgvW,00000000,?,?,?,?,0040104A,?,?,00000000), ref: 0040A961
                • GetProcAddress.KERNEL32(?,00000000), ref: 0040A97B
                • GetProcAddress.KERNEL32(00000000,?), ref: 0040A98B
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$LibraryLoad
                • String ID:
                • API String ID: 2238633743-0
                • Opcode ID: 624ee205da11f3697e7001c3b1581b80710f2290fefec316ce73921765a46f74
                • Instruction ID: 976f93453bf7f797170d9925195a6ead49eccb493f24a6c4b1e09334e13bcef4
                • Opcode Fuzzy Hash: 624ee205da11f3697e7001c3b1581b80710f2290fefec316ce73921765a46f74
                • Instruction Fuzzy Hash: 76F0DA71300209DBDB10DFA8FC849AAB3ACEB84755301852AF989D3250D635E851DBA8
                Function 00905C90 Relevance: 4.5, APIs: 3, Instructions: 25encryptionCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • CryptDestroyKey.ADVAPI32(?,00907B48,?,009061B1,00907B48,7693BD50,?,00907B48,00000000), ref: 00905CA7
                • CryptReleaseContext.ADVAPI32(10E015FF,00000000,00907B48,?,009061B1,00907B48,7693BD50,?,00907B48,00000000), ref: 00905CB9
                • _free.LIBCMT ref: 00905CC2
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Crypt$ContextDestroyRelease_free
                • String ID:
                • API String ID: 965609376-0
                • Opcode ID: 490f829753cde66c063def9f6af8dd74adc66e73d3d456b3a786bf985a5a8924
                • Instruction ID: d670889b1ed9f88e3e9ede784807d2197814c5de14a0e8260271a0a48d9d3e1a
                • Opcode Fuzzy Hash: 490f829753cde66c063def9f6af8dd74adc66e73d3d456b3a786bf985a5a8924
                • Instruction Fuzzy Hash: 12F06D321117509FE7219F15DC08B427BE9EF00355F054468E445976F0C7B0EC90DF40
                Function 00406A00 Relevance: 3.0, APIs: 2, Instructions: 24timeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,004117F8,00000001,?,00000000), ref: 00406A0B
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00406A24
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                • String ID:
                • API String ID: 1518329722-0
                • Opcode ID: 7388d572124b769b0b0fbac3be0d4ab07429a53ad312db60128dddaf92bde823
                • Instruction ID: 7537e3f23ebfb616e00f6b1dea0b49684ed79cb07351c3035d2707822383b3d7
                • Opcode Fuzzy Hash: 7388d572124b769b0b0fbac3be0d4ab07429a53ad312db60128dddaf92bde823
                • Instruction Fuzzy Hash: 49E07D30E0012CB7CB24DFB5AC09CAF7BACDF45710F0043697C05E7180D530890482D4
                Function 00918C43 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00914B92,?,?,?,00000000), ref: 00918C48
                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00918C51
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 1f1276169a70cfb6281cf407c6d95028da5df30d156432ab66641113bab82a26
                • Instruction ID: cbf65c76bc2caed547df3ef9d4c9f24dbfb6e9935415bd85de1187d87131112c
                • Opcode Fuzzy Hash: 1f1276169a70cfb6281cf407c6d95028da5df30d156432ab66641113bab82a26
                • Instruction Fuzzy Hash: DAB0923109D208ABCB102B91EC0AB883F28EB14692F000011F60D844658B725472AA91
                Function 0043459A Relevance: 2.4, APIs: 1, Instructions: 881COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: __invoke_watson
                • String ID:
                • API String ID: 3648217671-0
                • Opcode ID: 859c7255aa7f4c93d28cda40d724e5b77a140a06b565b1d3979a02da95ba6089
                • Instruction ID: 2f0ec251c1f3c38bc61248560d92433737d1067223c558b2a95b7faca39e83fc
                • Opcode Fuzzy Hash: 859c7255aa7f4c93d28cda40d724e5b77a140a06b565b1d3979a02da95ba6089
                • Instruction Fuzzy Hash: 40628E75E006598BDF24CFA8C8412EEBBB1FF98310F25916BD855EB341D778A942CB48
                Function 0090DBF2 Relevance: 2.2, APIs: 1, Instructions: 746COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: a74e18cd0dac59b52f1d82949bf6fef8fab42b40534cbf24b4b4231b92a17605
                • Instruction ID: d03ca18fdadbcc6f0e982a4cc15f783dbbbc1b19c8705cd4d2b02e42537654ca
                • Opcode Fuzzy Hash: a74e18cd0dac59b52f1d82949bf6fef8fab42b40534cbf24b4b4231b92a17605
                • Instruction Fuzzy Hash: 4462FDB1A1060AEFDB04CF68C991AADBBB5FF58310F108569E819DB781D734EA50CF90
                Function 0040B400 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: L@A
                • API String ID: 0-2003014581
                • Opcode ID: 2c761c62467a0cd90ccb4fc3162e0f359b8c51ee35fd4d21315c451b11e636d6
                • Instruction ID: 5e3868d71a7fe99f348dcddcde369764a68d8868577f10f4b26ba3043811bc01
                • Opcode Fuzzy Hash: 2c761c62467a0cd90ccb4fc3162e0f359b8c51ee35fd4d21315c451b11e636d6
                • Instruction Fuzzy Hash: 4A31E61650DBC38DE306CB3C48D42AAFF92DDAA10871D93E8C8D55B747C2B29459C3E5
                Function 00406A40 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: bl@
                • API String ID: 0-193373031
                • Opcode ID: 28cfcff3299627df230db9337f47d6e99621e28b3a4101e37f622bbc26817848
                • Instruction ID: 5fb706f52daeeb1b4cf07fcc05237cc234a1a6869ecb5e221bbd35b80fdd3801
                • Opcode Fuzzy Hash: 28cfcff3299627df230db9337f47d6e99621e28b3a4101e37f622bbc26817848
                • Instruction Fuzzy Hash: 4D210A75A006118BD718DF5AC440852BBE3EFD8718729C1AEC8098F36AE772D953CB90
                Function 00913BE8 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetProcessHeap.KERNEL32(009138B1,009254B0,00000008,00913A87,?,00000001,?,009254D0,0000000C,00913A26,?,00000001,?), ref: 00913BE8
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: HeapProcess
                • String ID:
                • API String ID: 54951025-0
                • Opcode ID: 91d6c2c5435731167ea0ddf8cd0c63ec991cd648314a1cfe4f1b5388b64aa427
                • Instruction ID: 6cb5f41de07d10a32e5949e931879388ea2b9c9b9ea1eb3d4cf78f91252250a9
                • Opcode Fuzzy Hash: 91d6c2c5435731167ea0ddf8cd0c63ec991cd648314a1cfe4f1b5388b64aa427
                • Instruction Fuzzy Hash: 67B012F431E102878B1C4B387C6411F35D45B08201311803D7003C2170DF30C472BA40
                Function 00905168 Relevance: .5, Instructions: 458COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d0911f3fb7ff9ca4e42fbf98101b4cd6e9d819dc6edbf79a3e30d88375ed4576
                • Instruction ID: f4aaf188c034e4e7cf16f7b3729854d45345549d9d3ea10ae27ef2a531447fbf
                • Opcode Fuzzy Hash: d0911f3fb7ff9ca4e42fbf98101b4cd6e9d819dc6edbf79a3e30d88375ed4576
                • Instruction Fuzzy Hash: D8024A75A00A06DFDB24CF98C9807AEB7F5FF48310F2A4469E851AB291D374AD91CF50
                Function 0090F04D Relevance: .4, Instructions: 369COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3fe5e054ae8f7e7a9f8c43198b7e314e9966a12b68df81b2b274b5bd224f5eec
                • Instruction ID: 89dcbb965f0663f14aa2b090ea45d1a6404db6fe40269abcb71d0d2752cbbd4d
                • Opcode Fuzzy Hash: 3fe5e054ae8f7e7a9f8c43198b7e314e9966a12b68df81b2b274b5bd224f5eec
                • Instruction Fuzzy Hash: F1F1D571E002199FCF14CFA8D590AADBBB5FF98314F24816AE859E7790D730AA85CF50
                Function 004244DE Relevance: .4, Instructions: 369COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3fe5e054ae8f7e7a9f8c43198b7e314e9966a12b68df81b2b274b5bd224f5eec
                • Instruction ID: 95e2c60890161a7ae2526e8c5d8a9d8a03bbb0f4ddea130b82d3d105dd631ea8
                • Opcode Fuzzy Hash: 3fe5e054ae8f7e7a9f8c43198b7e314e9966a12b68df81b2b274b5bd224f5eec
                • Instruction Fuzzy Hash: 12F1F575E102299FCF14CFA8E580AADBBB1FF88314F64816AE859E7340D734A985CF54
                Function 00911E79 Relevance: .3, Instructions: 345COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction ID: 524dc9587c8cd81cb729caf2896e80d764af2738e77e3ca7284faeb8e91bf358
                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction Fuzzy Hash: 6BC1B43630A19709DF2D473A88341BEBFA55EA27B131A076ED4B3CB1D4EE20C5B5D620
                Function 0042730A Relevance: .3, Instructions: 345COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction ID: 673c577958b1b73d6dd84402766c37885d4bf08e37a7d553e18055c943027925
                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction Fuzzy Hash: 4FC163363090730ADB2D4A39E47403FFAA15E917B235B1B5FD8B2CB2D4EE18D568D524
                Function 009122AE Relevance: .3, Instructions: 341COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction ID: 4c9559424681a05f09624fd63e05c59de1a5ed906cc62393f0f881b24282f8d8
                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction Fuzzy Hash: C3C1C5363051970ADF2D473AC8741BEBEA55EA27B131A076EE4B2CB1D4EE20C5B5D620
                Function 0042773F Relevance: .3, Instructions: 341COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction ID: 08503059dea713d1c2f30ba16fd53d6acee092427e4e8fc35a9f14925567c32d
                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction Fuzzy Hash: 57C174363091B309DF2D463AD47403FBAA15E927B235B1B5ED4B2CB2C5EF28D528D624
                Function 00911A44 Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction ID: 92aa0de7f11331d600ecc7f162d79311ac628dcd175e50a95ba0bcb1e58c98e2
                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction Fuzzy Hash: 17C1B73630A1A719DF2D463AC8341BEFEA55EA27B131A076ED5B3CB1C8FE10C5A5D610
                Function 00426ED5 Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction ID: ebca23ec1ce0b782c1f6a7457fc2b85b7fffc3dde179fbb8bf354bf8a9fb2d06
                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction Fuzzy Hash: 4AC173363091B309DF1D4639E47443FBAA15EA27B235B1B6FD4B2CB2C5EE18C528D524
                Function 0091162C Relevance: .3, Instructions: 323COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction ID: 2d73154bfbdbe30b8900ed414ae48cdd09ccb2bfa3c7c75221c5f221217da51f
                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction Fuzzy Hash: 97C1B83631609719DF2D463AC8341BEFFA55EA27B131A076ED5B3CB2C4EE20C5A5D620
                Function 00426ABD Relevance: .3, Instructions: 323COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction ID: d56b033331b17a1a67fe5be574230e2088258a6746ab734d197551e35dcf091f
                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction Fuzzy Hash: CAC1533630517309DF6D463AE43413FBAA15E917B235B0B5ED4B2CB2D4EF28D528D624
                Function 0090A78D Relevance: .3, Instructions: 283COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 13b25fbb421ccd69874ae3a446ea9764653c89d19c387548ca65d95cee56d3c7
                • Instruction ID: 863f3c7458178369a0a93fcc552f44ed381d90d497b76763f342f6756d4c2911
                • Opcode Fuzzy Hash: 13b25fbb421ccd69874ae3a446ea9764653c89d19c387548ca65d95cee56d3c7
                • Instruction Fuzzy Hash: 20C1D4B1604B00CFD731CF19C580A22B7F5FF49315B258A5EE8AA8B692D735E846CF91
                Function 00404310 Relevance: 115.7, APIs: 34, Strings: 32, Instructions: 183COMMON
                Download Yara Rule
                APIs
                Strings
                • -g filename Output collected data to gnuplot format file., xrefs: 00404510
                • -p postfile File containing data to POST. Remember also to set -T, xrefs: 00404388
                • -T content-type Content-type header for POSTing, eg., xrefs: 004043AF
                • -X proxy:port Proxyserver and port number to use, xrefs: 004044C0
                • -A attribute Add Basic WWW Authentication, the attributes, xrefs: 00404477
                • -t timelimit Seconds to max. wait for responses, xrefs: 00404367
                • 'application/x-www-form-urlencoded', xrefs: 004043BD
                • -d Do not show percentiles served table., xrefs: 004044EF
                • -i Use HEAD instead of GET, xrefs: 00404400
                • -w Print out results in HTML tables, xrefs: 004043EF
                • -r Don't exit on socket receive errors., xrefs: 00404532
                • -k Use HTTP KeepAlive feature, xrefs: 004044DE
                • -H attribute Add Arbitrary header line, eg. 'Accept-Encoding: gzip', xrefs: 00404456
                • are a colon separated username and password., xrefs: 00404488, 004044A9
                • Inserted after all normal header lines. (repeatable), xrefs: 00404467
                • -z attributes String to insert as td or th attributes, xrefs: 00404438
                • -b windowsize Size of TCP send/receive buffer, in bytes, xrefs: 00404377
                • -n requests Number of requests to perform, xrefs: 00404345
                • -e filename Output CSV file with percentages served, xrefs: 00404521
                • -u putfile File containing data to PUT. Remember also to set -T, xrefs: 00404399
                • -C attribute Add cookie, eg. 'Apache=1234. (repeatable), xrefs: 00404445
                • -P attribute Add Basic Proxy Authentication, the attributes, xrefs: 00404499
                • -c concurrency Number of multiple requests to make, xrefs: 00404356
                • Options are:, xrefs: 00404335
                • -V Print version number and exit, xrefs: 004044CE
                • -h Display usage information (this message), xrefs: 00404548
                • -y attributes String to insert as tr attributes, xrefs: 0040441B
                • Usage: %s [options] [http://]hostname[:port]/path, xrefs: 00404327
                • -S Do not show confidence estimators and warnings., xrefs: 00404500
                • -x attributes String to insert as table attributes, xrefs: 00404410
                • -v verbosity How much troubleshooting info to print, xrefs: 004043DE
                • Default is 'text/plain', xrefs: 004043CE
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$exit
                • String ID: 'application/x-www-form-urlencoded'$ Default is 'text/plain'$ Inserted after all normal header lines. (repeatable)$ are a colon separated username and password.$ -A attribute Add Basic WWW Authentication, the attributes$ -C attribute Add cookie, eg. 'Apache=1234. (repeatable)$ -H attribute Add Arbitrary header line, eg. 'Accept-Encoding: gzip'$ -P attribute Add Basic Proxy Authentication, the attributes$ -S Do not show confidence estimators and warnings.$ -T content-type Content-type header for POSTing, eg.$ -V Print version number and exit$ -X proxy:port Proxyserver and port number to use$ -b windowsize Size of TCP send/receive buffer, in bytes$ -c concurrency Number of multiple requests to make$ -d Do not show percentiles served table.$ -e filename Output CSV file with percentages served$ -g filename Output collected data to gnuplot format file.$ -h Display usage information (this message)$ -i Use HEAD instead of GET$ -k Use HTTP KeepAlive feature$ -n requests Number of requests to perform$ -p postfile File containing data to POST. Remember also to set -T$ -r Don't exit on socket receive errors.$ -t timelimit Seconds to max. wait for responses$ -u putfile File containing data to PUT. Remember also to set -T$ -v verbosity How much troubleshooting info to print$ -w Print out results in HTML tables$ -x attributes String to insert as table attributes$ -y attributes String to insert as tr attributes$ -z attributes String to insert as td or th attributes$Options are:$Usage: %s [options] [http://]hostname[:port]/path
                • API String ID: 3254994702-1132481021
                • Opcode ID: 4dd47cd2ce57d1e8714cf3742f739bea04fd02986a2d8bfd6b271de71045e575
                • Instruction ID: 5db5bfe4e2c26438aa79572f1c93178e7e99ecfebcf8e1aedc09d9b68d23ffb1
                • Opcode Fuzzy Hash: 4dd47cd2ce57d1e8714cf3742f739bea04fd02986a2d8bfd6b271de71045e575
                • Instruction Fuzzy Hash: 99516BF7E61215F7F304A7AAEDC2F5636A95A48640314CB37F106B32D0D5B8E8588B9C
                Function 00401790 Relevance: 72.2, APIs: 13, Strings: 28, Instructions: 481COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: printf$calloc$fflushfprintfmallocsignal
                • String ID: Server timed out$Test aborted after 10 failures$%s %s HTTP/1.0%s%s%s%s$%s %s HTTP/1.0%s%s%sContent-length: %uContent-type: %s%s$(be patient)%s$...$..done$2.3$@8A$Accept: */*$Benchmarking %s $Connection: Keep-Alive$Finished %d requests$GET$HEAD$Host: $INFO: %s header == ---%s---$POST$PUT$Request too long$User-Agent: ApacheBench/$[through %s:%d] $apr_poll$apr_pollset_create failed$apr_sockaddr_info_get() for %s$apr_socket_connect()$error creating request buffer: out of memory$text/plain
                • API String ID: 1904654689-1036632920
                • Opcode ID: bb850c4490a32022031f79d54eb7fd9fbaf972e1398d04f13b4e89d1111c74c5
                • Instruction ID: a4c2794aa5802cd3dad7f413f751d84451793c07ce97d2701b697619b91be45d
                • Opcode Fuzzy Hash: bb850c4490a32022031f79d54eb7fd9fbaf972e1398d04f13b4e89d1111c74c5
                • Instruction Fuzzy Hash: D002C4B5A002009BD714DB95ED85BAB33A9EB88704F14C13AF909B73E1D778AD448B9D
                Function 00401750 Relevance: 72.2, APIs: 15, Strings: 26, Instructions: 437COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: printf$calloc$exitfflushfprintf
                • String ID: Server timed out$Test aborted after 10 failures$%s$%s %s HTTP/1.0%s%s%s%s$(be patient)%s$...$2.3$Accept: */*$Benchmarking %s $Connection: Keep-Alive$Finished %d requests$GET$HEAD$Host: $INFO: %s header == ---%s---$POST$PUT$Request too long$Total of %d requests completed$User-Agent: ApacheBench/$[through %s:%d] $apr_poll$apr_pollset_create failed$apr_sockaddr_info_get() for %s$apr_socket_connect()$error creating request buffer: out of memory
                • API String ID: 4071646354-2456507862
                • Opcode ID: 8bd2bb2d0e5180cf557dbe42b02564fb005c9e549dcebbb57078aed9f11bbeb8
                • Instruction ID: 28f00e7733a26f175cd4978669a42ebc2534a3cb1989eb7e341fcfa495c25d2a
                • Opcode Fuzzy Hash: 8bd2bb2d0e5180cf557dbe42b02564fb005c9e549dcebbb57078aed9f11bbeb8
                • Instruction Fuzzy Hash: 12E1C475A002049BD714EB95ED85BAB33A9EB88708F14C13AF905F73E1D778AD448B9C
                Function 00403C60 Relevance: 53.0, APIs: 15, Strings: 15, Instructions: 470stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00408B40: WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 00408B7C
                  • Part of subcall function 00408B40: WSAGetLastError.WSOCK32 ref: 00408B8E
                • fprintf.MSVCRT ref: 00403D6B
                • printf.MSVCRT ref: 00403E46
                • strstr.MSVCRT ref: 00403E5E
                • strstr.MSVCRT ref: 00403E74
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: strstr$ErrorLastRecvfprintfprintf
                • String ID: Test aborted after 10 failures$$%s: %s (%d)$500$Completed %d requests$Content-Length:$Content-length:$HTTP$Keep-Alive$LOG: Response code = %s$LOG: header received:%s$Server:$WARNING: Response code not 2xx (%s)$apr_socket_recv$keep-alive
                • API String ID: 2173821265-2285042995
                • Opcode ID: 4854fe39c6aec97a9b9e0f61d727125c7a55b98e2185efcb8959e75e8f001c1c
                • Instruction ID: d968df65f53c3b23091e0470f6dc392be365fc4adb0b836f93deb185ac6b9b20
                • Opcode Fuzzy Hash: 4854fe39c6aec97a9b9e0f61d727125c7a55b98e2185efcb8959e75e8f001c1c
                • Instruction Fuzzy Hash: 610291B1A002018BCB14DF59DCC469A7BE5BB84304F18C5BAED49EB395DB789D81CB9C
                Function 00401000 Relevance: 42.4, APIs: 9, Strings: 15, Instructions: 355COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00405D20: GetCommandLineW.KERNEL32(?,?,?,?,0040104A,?,?,00000000), ref: 00405D57
                  • Part of subcall function 00405D20: GlobalFree.KERNEL32(00000000), ref: 00405DAD
                  • Part of subcall function 00405D20: GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,0040104A,?,?,00000000), ref: 00405DB4
                  • Part of subcall function 00405D20: __p__environ.MSVCRT ref: 00405DBF
                  • Part of subcall function 00405D20: malloc.MSVCRT ref: 00405DDD
                  • Part of subcall function 00405D20: __p__environ.MSVCRT ref: 00405DE8
                  • Part of subcall function 00405D20: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405E03
                  • Part of subcall function 00405D20: __p__wenviron.MSVCRT ref: 00405E0F
                  • Part of subcall function 00405D20: __p__wenviron.MSVCRT ref: 00405E18
                  • Part of subcall function 00405D20: __p__wenviron.MSVCRT ref: 00405E1C
                  • Part of subcall function 00405D20: free.MSVCRT ref: 00405E25
                • _isctype.MSVCRT ref: 004012B0
                • _isctype.MSVCRT ref: 00401343
                • _strnicmp.MSVCRT ref: 00401414
                • _strnicmp.MSVCRT ref: 00401437
                • fprintf.MSVCRT ref: 0040155B
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$__p__wenviron$EnvironmentFreeStrings__p__environ_isctype_strnicmp$CommandGlobalLinefreemalloc
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$@8A$Accept:$Authentication credentials too long$Authorization: Basic $Cookie: $Host:$Proxy credentials too long$Proxy-Authorization: Basic $User-Agent:$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 1027794356-2667160859
                • Opcode ID: 5218f5b0053106b551ad4f683b08a9823490a49836e7579a02fd8b829f5f6227
                • Instruction ID: 102ab6ecfd83405cdecb6d581c84758f592630fb32869fcdfaed45e54a62ca93
                • Opcode Fuzzy Hash: 5218f5b0053106b551ad4f683b08a9823490a49836e7579a02fd8b829f5f6227
                • Instruction Fuzzy Hash: 31C1B3B5A00104EBD704DFA4DD81D6A77A9EBC8308B24857BF905BB3E2D678ED058B5C
                Function 004042A0 Relevance: 35.0, APIs: 9, Strings: 11, Instructions: 32COMMON
                Download Yara Rule
                APIs
                Strings
                • Licensed to The Apache Software Foundation, http://www.apache.org/<br>, xrefs: 004042F5
                • Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/, xrefs: 004042BC
                • This is ApacheBench, Version %s <i>&lt;%s&gt;</i><br>, xrefs: 004042E7
                • <p>, xrefs: 004042D6
                • Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>, xrefs: 004042EE
                • </p><p>, xrefs: 004042FC
                • $Revision: 655654 $, xrefs: 004042DD
                • 2.3, xrefs: 004042E2
                • Licensed to The Apache Software Foundation, http://www.apache.org/, xrefs: 004042C3
                • 2.3 <$Revision: 655654 $>, xrefs: 004042B0
                • This is ApacheBench, Version %s, xrefs: 004042B5
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: printf
                • String ID: Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>$ Licensed to The Apache Software Foundation, http://www.apache.org/<br>$ This is ApacheBench, Version %s <i>&lt;%s&gt;</i><br>$$Revision: 655654 $$2.3$2.3 <$Revision: 655654 $>$</p><p>$<p>$Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/$Licensed to The Apache Software Foundation, http://www.apache.org/$This is ApacheBench, Version %s
                • API String ID: 3524737521-2680221841
                • Opcode ID: f968ed7e9337b859d1e09b4a8637f11693dcfb1b8dbb0b535f507175a3164b9c
                • Instruction ID: 65994046b57ba64a728f0713f0abf60a2ee8e35852952dffb6e3c4157bd826c8
                • Opcode Fuzzy Hash: f968ed7e9337b859d1e09b4a8637f11693dcfb1b8dbb0b535f507175a3164b9c
                • Instruction Fuzzy Hash: 5BE0C960FC023821D464B6AF2C4AF8B2D04A988BA432508B3B448310C198FC6460CDEF
                Function 00901500 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 222COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free_wcsncpy$_calloc_mbstowcs_memmove$_memset_wcscpy
                • String ID: https$pipe$tcp
                • API String ID: 1390386863-2240554849
                • Opcode ID: c43591da55bc534d04fcc0dc4c9254bb50879a58df7e617051349f9c4a53c6aa
                • Instruction ID: f777fd1c69fe8a1281ef4aa1e3eebebbd00ded6478e6460c2944e63027ba6eee
                • Opcode Fuzzy Hash: c43591da55bc534d04fcc0dc4c9254bb50879a58df7e617051349f9c4a53c6aa
                • Instruction Fuzzy Hash: DB7112B1E41318BFDB10EBA48C86FEE77FCAF48714F004455B615B7282E7B59A408BA1
                Function 004098A0 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 340COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: wcsncmp
                • String ID: GetCompressedFileSizeA$GetCompressedFileSizeW$GetNamedSecurityInfoA$GetNamedSecurityInfoW$GetSecurityInfo$UNC\$ZwQueryInformationFile$\\?\
                • API String ID: 2509195183-113847736
                • Opcode ID: 8bd6e5f6ef87f0532a7296ab5bba1d6098938685440ae2f5106d98cda92dd20b
                • Instruction ID: 86daf43a790edeab88ac522ec478b41db71515873253f1c3d39e374ab4b2d147
                • Opcode Fuzzy Hash: 8bd6e5f6ef87f0532a7296ab5bba1d6098938685440ae2f5106d98cda92dd20b
                • Instruction Fuzzy Hash: 11B190B1A00205ABDB14CF64DC81AAB73A5FB94714F14853AF919A7382E778ED50CB98
                Function 00909138 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 162COMMON
                Download Yara Rule
                APIs
                • WinHttpOpenRequest.WINHTTP(?,GET,?,00000000,00000000,00000000,00000100), ref: 00909173
                • SetLastError.KERNEL32(00000490), ref: 00909184
                • WinHttpGetIEProxyConfigForCurrentUser.WINHTTP(?), ref: 009091AF
                • _calloc.LIBCMT ref: 009091D8
                • GlobalFree.KERNEL32(00000000), ref: 0090927D
                • GlobalFree.KERNEL32(00000000), ref: 0090928C
                • GlobalFree.KERNEL32(00000000), ref: 0090929B
                • WinHttpSetOption.WINHTTP(00000000,00001003,?,00000000), ref: 009092ED
                • WinHttpSetOption.WINHTTP(00000000,0000001F,?,00000004), ref: 00909307
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Http$FreeGlobal$Option$ConfigCurrentErrorLastOpenProxyRequestUser_calloc
                • String ID: GET$POST
                • API String ID: 3023714100-3192705859
                • Opcode ID: 98a307ae38586bea30354e336a74bed2c9e3cf1117859229e90bfa0291cf6a4b
                • Instruction ID: c9d9ef87068ea553321050f7f110039cd94de9e013299bed9bd9396e115a7166
                • Opcode Fuzzy Hash: 98a307ae38586bea30354e336a74bed2c9e3cf1117859229e90bfa0291cf6a4b
                • Instruction Fuzzy Hash: BC519F70904309EFEB219F59DC49BAEBBF9FF88700F10452DF956A26A1D7B19980CB50
                Function 0040118D Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 157COMMON
                Download Yara Rule
                APIs
                • exit.MSVCRT ref: 004011CD
                • exit.MSVCRT ref: 00401214
                • fprintf.MSVCRT ref: 0040155B
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                  • Part of subcall function 00401750: fprintf.MSVCRT ref: 00401766
                  • Part of subcall function 00401750: printf.MSVCRT ref: 0040177E
                  • Part of subcall function 00401750: exit.MSVCRT ref: 00401789
                  • Part of subcall function 00401750: printf.MSVCRT ref: 004017F9
                  • Part of subcall function 00401750: printf.MSVCRT ref: 00401817
                  • Part of subcall function 00401750: printf.MSVCRT ref: 00401835
                  • Part of subcall function 00401750: fflush.MSVCRT ref: 00401841
                  • Part of subcall function 00401750: calloc.MSVCRT ref: 0040185C
                  • Part of subcall function 00401750: calloc.MSVCRT ref: 0040186B
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • Cannot mix PUT and HEAD, xrefs: 004011DB
                • gfff, xrefs: 0040163C
                • Cannot mix POST and HEAD, xrefs: 00401194
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$printf$exit$calloc$fflush
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$Cannot mix POST and HEAD$Cannot mix PUT and HEAD$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 2141280880-917301088
                • Opcode ID: 554312e2743b02a32243778902219ba665b769c3111ef538274103244b6529ab
                • Instruction ID: f94eb15515aaf1234ac173067c03169a0fe78aeeca8b1a7cc0c7cd81fdb93a18
                • Opcode Fuzzy Hash: 554312e2743b02a32243778902219ba665b769c3111ef538274103244b6529ab
                • Instruction Fuzzy Hash: 2A5193B4A00104EBD714EFA4EC81D6A3365EBC8308B14857FF906AB3E1D678E945CB9D
                Function 00904672 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 89libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryW.KERNEL32(ntdll), ref: 0090467E
                • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0090469F
                • GetProcAddress.KERNEL32(00000000,NtQueryAttributesFile), ref: 009046A9
                • GetProcAddress.KERNEL32(?,NtOpenFile), ref: 009046B5
                • GetProcAddress.KERNEL32(?,NtCreateSection), ref: 009046C2
                • GetProcAddress.KERNEL32(?,NtOpenSection), ref: 009046CF
                • GetProcAddress.KERNEL32(?,NtClose), ref: 009046DC
                  • Part of subcall function 009045F4: WriteProcessMemory.KERNEL32(000000FF,00904599,?,00000005,?,?,?,009046FA,?,00000000,?,00904599,?,?), ref: 0090460C
                  • Part of subcall function 009045F4: VirtualQuery.KERNEL32(?,?,0000001C,?,?), ref: 00904627
                  • Part of subcall function 009045F4: VirtualProtect.KERNEL32(?,00000040,00000040,?,?,?), ref: 0090463F
                  • Part of subcall function 009045F4: VirtualProtect.KERNEL32(?,?,?,?,?,?), ref: 0090465C
                  • Part of subcall function 009045F4: FlushInstructionCache.KERNEL32(000000FF,?,?,?,?), ref: 00904666
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$Virtual$Protect$CacheFlushInstructionLibraryLoadMemoryProcessQueryWrite
                • String ID: NtClose$NtCreateSection$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryAttributesFile$ntdll
                • API String ID: 1694779802-2731749698
                • Opcode ID: 13364649d1746d5350d17807ec0e5dd6ce2f54afd01426de4154e5b64dcbc180
                • Instruction ID: 8f69ec419b596b83efc6b07a514240685f6649e24492ce551871c11c507cb126
                • Opcode Fuzzy Hash: 13364649d1746d5350d17807ec0e5dd6ce2f54afd01426de4154e5b64dcbc180
                • Instruction Fuzzy Hash: 91314FB2E41328BFCB109BA59D459DFBE78EF89B54F000155BA1863280C7716A21DBD1
                Function 009047F2 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 76libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ntdll,?,?,?,?,0090440D), ref: 009047FE
                • GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 0090481F
                • GetProcAddress.KERNEL32(00000000,NtQueryAttributesFile), ref: 00904829
                • GetProcAddress.KERNEL32(0090440D,NtOpenFile), ref: 00904835
                • GetProcAddress.KERNEL32(0090440D,NtCreateSection), ref: 00904842
                • GetProcAddress.KERNEL32(0090440D,NtOpenSection), ref: 0090484F
                • GetProcAddress.KERNEL32(0090440D,NtClose), ref: 0090485C
                  • Part of subcall function 00904792: VirtualQuery.KERNEL32(?,?,0000001C,?,?,00904874,?,00000000,?,?,00000000,?,?,?,?,0090440D), ref: 009047A1
                  • Part of subcall function 00904792: VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00904874,?,00000000,?,?,00000000), ref: 009047B3
                  • Part of subcall function 00904792: WriteProcessMemory.KERNEL32(000000FF,?,?,00000005,?,?,?,00904874,?,00000000,?,?,00000000), ref: 009047C7
                  • Part of subcall function 00904792: VirtualProtect.KERNEL32(?,?,?,00000000,?,?,00904874,?,00000000,?,?,00000000), ref: 009047DA
                  • Part of subcall function 00904792: FlushInstructionCache.KERNEL32(000000FF,?,?,?,?,00904874,?,00000000,?,?,00000000,?,?,?,?,0090440D), ref: 009047E8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$Virtual$Protect$CacheFlushInstructionLibraryLoadMemoryProcessQueryWrite
                • String ID: NtClose$NtCreateSection$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryAttributesFile$ntdll
                • API String ID: 1694779802-2731749698
                • Opcode ID: d5e38b7b5914d8a8cb9528dfac6b95f4af5dade08a233ff294fa06b9972deaf2
                • Instruction ID: 9ba592837169e1aef9d85854e1287f729f36d9188cc737d80cdad2a1380147e0
                • Opcode Fuzzy Hash: d5e38b7b5914d8a8cb9528dfac6b95f4af5dade08a233ff294fa06b9972deaf2
                • Instruction Fuzzy Hash: 8B214FB1941219BFCB00EBE59C85DFFBFBCEB89754F004455FA08A2152DB746E119BA0
                Function 00906E7E Relevance: 24.2, APIs: 16, Instructions: 230filepipeCOMMON
                Download Yara Rule
                APIs
                • ConnectNamedPipe.KERNEL32(?,?), ref: 00906EBA
                • GetLastError.KERNEL32 ref: 00906EC0
                • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00906EFE
                • GetLastError.KERNEL32 ref: 00906F08
                • ResetEvent.KERNEL32(?), ref: 00906F28
                • _free.LIBCMT ref: 00906F61
                • ResetEvent.KERNEL32(00000000), ref: 0090710D
                • ReadFile.KERNEL32(?,?,00010000,00000000,?), ref: 00907133
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorEventLastReset$ConnectFileNamedOverlappedPipeReadResult_free
                • String ID:
                • API String ID: 1818538505-0
                • Opcode ID: 6e756cfb086848ead2eab03c07ec6fbc8633600c27f9981a7abb335262561fa2
                • Instruction ID: e2b2c5d14a38a4ee0637ce2d89ad0b034cc41ac7e668adef05d1a5b3d976d8a3
                • Opcode Fuzzy Hash: 6e756cfb086848ead2eab03c07ec6fbc8633600c27f9981a7abb335262561fa2
                • Instruction Fuzzy Hash: 5071D271A08605BFD725AB70CC85FEAF7ACFF49720F004629F619961C1DB70B9618BA0
                Function 0040B080 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 232filesynchronizationpipeCOMMON
                Download Yara Rule
                APIs
                • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,0040B04D,00000000,00000000,?), ref: 0040B0B3
                • GetLastError.KERNEL32(?,0040B04D,00000000,00000000,?), ref: 0040B0C3
                • GetLastError.KERNEL32(?,0040B04D,00000000,00000000,?), ref: 0040B0D2
                • ReadFile.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,0040B04D,00000000,00000000,?), ref: 0040B149
                • GetLastError.KERNEL32(?,0040B04D,00000000,00000000,?), ref: 0040B160
                • GetLastError.KERNEL32(?,0040B04D,00000000,00000000,?), ref: 0040B16A
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040B19B
                • WaitForSingleObject.KERNEL32(?,00000000,?,0040B04D,00000000,00000000,?), ref: 0040B1B7
                • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,?,0040B04D,00000000,00000000,?), ref: 0040B206
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$FileNamedObjectOverlappedPeekPipeReadResultSingleUnothrow_t@std@@@Wait__ehfuncinfo$??2@
                • String ID: CancelIo
                • API String ID: 4218860098-2988344177
                • Opcode ID: 2262a270e04772144b330fc8022523d05f1d8f361657aad5a0911b0a1537bac0
                • Instruction ID: 6e1920a353819d14102199b1f7b27055858b2043c0ebf3dbc580d15f2d9c4852
                • Opcode Fuzzy Hash: 2262a270e04772144b330fc8022523d05f1d8f361657aad5a0911b0a1537bac0
                • Instruction Fuzzy Hash: B87172753002059BD724CFA9DC90BAB73A5EB84754F14893EE959EB780D778EC01CB98
                Function 0040149A Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 144stringCOMMON
                Download Yara Rule
                APIs
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • @<A, xrefs: 004014C2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$atoistrchr
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$@<A$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 3612400412-2805153618
                • Opcode ID: 086c3ed2d15ccbf7f785f21e75bbb9d05ebce68362d5a2d5de550486dcdc1c76
                • Instruction ID: 1856bb30a29f67c2e9cb3809bc9c1c65f3c91895ab6ed7edb9808eff0ea4e1fd
                • Opcode Fuzzy Hash: 086c3ed2d15ccbf7f785f21e75bbb9d05ebce68362d5a2d5de550486dcdc1c76
                • Instruction Fuzzy Hash: 924192B4A00104EFD714DFA8ED91D2A73A5EBC8308B14C57AE905EB3A1D638ED45CB98
                Function 00405D20 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 98COMMON
                Download Yara Rule
                APIs
                • GetCommandLineW.KERNEL32(?,?,?,?,0040104A,?,?,00000000), ref: 00405D57
                • GlobalFree.KERNEL32(00000000), ref: 00405DAD
                  • Part of subcall function 0040A940: LoadLibraryA.KERNEL32(?,00000000,?,00405D79,00000004,CommandLineToArgvW,00000000,?,?,?,?,0040104A,?,?,00000000), ref: 0040A961
                • GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,0040104A,?,?,00000000), ref: 00405DB4
                • __p__environ.MSVCRT ref: 00405DBF
                • malloc.MSVCRT ref: 00405DDD
                • __p__environ.MSVCRT ref: 00405DE8
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405E03
                • __p__wenviron.MSVCRT ref: 00405E0F
                • __p__wenviron.MSVCRT ref: 00405E18
                • __p__wenviron.MSVCRT ref: 00405E1C
                • free.MSVCRT ref: 00405E25
                • SetLastError.KERNEL32(00000001), ref: 00405E3A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: __p__wenviron$EnvironmentFreeStrings__p__environ$CommandErrorGlobalLastLibraryLineLoadfreemalloc
                • String ID: CommandLineToArgvW
                • API String ID: 1811805695-1958408031
                • Opcode ID: e32ffa2a7bbaf6db530dde6c377b5b83cc851f2c1875d256f522af5819bf043e
                • Instruction ID: 489f981059dec82afb1c60ae41dcf19cfb0c9f7c5ffe1f3ef3c76cb7f27ed2a9
                • Opcode Fuzzy Hash: e32ffa2a7bbaf6db530dde6c377b5b83cc851f2c1875d256f522af5819bf043e
                • Instruction Fuzzy Hash: 58310271600615DFD710AB64EC48A6B37A8EF45300B04423AED01B7391EB78DD10CFD9
                Function 0090A1D1 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 75libraryloaderthreadCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 0090A1DA
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _memset.LIBCMT ref: 0090A1F0
                • GetCurrentThreadId.KERNEL32 ref: 0090A1F8
                  • Part of subcall function 0090A133: _malloc.LIBCMT ref: 0090A136
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,000000FF,?,?,?,?,?,?,?,?,?,009078FB), ref: 0090A20D
                • GetProcAddress.KERNEL32(00000000,OpenThread), ref: 0090A21E
                • LoadLibraryA.KERNEL32(ntdll.dll,?,?,000000FF,?,?,?,?,?,?,?,?,?,009078FB), ref: 0090A23A
                • GetProcAddress.KERNEL32(00000000,NtOpenThread), ref: 0090A249
                • FreeLibrary.KERNEL32(?,?,?,000000FF,?,?,?,?,?,?,?,?,?,009078FB), ref: 0090A286
                • FreeLibrary.KERNEL32(00000000,?,?,000000FF,?,?,?,?,?,?,?,?,?,009078FB), ref: 0090A28D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Library$AddressFreeLoadProc_malloc$AllocateCurrentHeapThread_memset
                • String ID: NtOpenThread$OpenThread$kernel32.dll$ntdll.dll
                • API String ID: 4115028961-1307226884
                • Opcode ID: dc022ba17c07f00491f5cdf5870fb3854acba8da63dd57a6a6e027fc85e9ac4a
                • Instruction ID: 3af476f8e6baaac1838448d263b574a892759b6a9227ab58783ccec0a6db1649
                • Opcode Fuzzy Hash: dc022ba17c07f00491f5cdf5870fb3854acba8da63dd57a6a6e027fc85e9ac4a
                • Instruction Fuzzy Hash: 2321C636E44305BFD721AFE5DC09B9EBBF8EF58711F004429F901E2191D77495119BA2
                Function 0090731B Relevance: 22.7, APIs: 15, Instructions: 235networkCOMMON
                Download Yara Rule
                APIs
                • _memmove.LIBCMT ref: 0090736A
                • htonl.WS2_32(?), ref: 009073A1
                • _calloc.LIBCMT ref: 0090740D
                • htonl.WS2_32(?), ref: 00907428
                • _memcmp.LIBCMT ref: 0090745F
                • _memcmp.LIBCMT ref: 0090749A
                  • Part of subcall function 009101E0: _malloc.LIBCMT ref: 009101EC
                • _memmove.LIBCMT ref: 009074AA
                  • Part of subcall function 0090722B: CloseHandle.KERNEL32(89C03359,00000000,?,009074CF,?), ref: 00907242
                  • Part of subcall function 0090722B: CloseHandle.KERNEL32(0F078900,00000000,?,009074CF,?), ref: 0090726E
                  • Part of subcall function 0090722B: _free.LIBCMT ref: 00907283
                  • Part of subcall function 0090722B: _free.LIBCMT ref: 00907291
                • _free.LIBCMT ref: 009074D0
                  • Part of subcall function 0090F788: HeapFree.KERNEL32(00000000,00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?), ref: 0090F79C
                  • Part of subcall function 0090F788: GetLastError.KERNEL32(00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?,?), ref: 0090F7AE
                • CoCreateGuid.OLE32(?), ref: 009074E0
                • htonl.WS2_32(?), ref: 009074E8
                • htons.WS2_32(?), ref: 009074FE
                • htons.WS2_32(?), ref: 0090750F
                • _calloc.LIBCMT ref: 00907524
                • _free.LIBCMT ref: 0090758B
                • _memmove.LIBCMT ref: 009075E6
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free$_memmovehtonl$CloseHandle_calloc_memcmphtons$CreateErrorFreeGuidHeapLast_malloc
                • String ID:
                • API String ID: 2366856222-0
                • Opcode ID: ef811fbd745a7e9bda797724a23062a4e548339a76878a16e0eec4321f125540
                • Instruction ID: baceaead14e114597fbf0425b7f047c17e28a2454b40cb22a4dab553dc77b326
                • Opcode Fuzzy Hash: ef811fbd745a7e9bda797724a23062a4e548339a76878a16e0eec4321f125540
                • Instruction Fuzzy Hash: 2781B772904204BFDB109F64DC81BDA77A8EF59710F08417AFD48DF196DBB5AA90CBA0
                Function 00416991 Relevance: 22.7, APIs: 15, Instructions: 222COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free_wcsncpy$_calloc_mbstowcs_memmove$_memset_wcscpy
                • String ID:
                • API String ID: 1390386863-0
                • Opcode ID: c2dd29842cca926379c19f723b0ff620131187b3a19e11a9fd511e1e013bc536
                • Instruction ID: 6a30154e221999fbaf01c3c5cfc9cdcba66481202623005788be2dbc6d20b6eb
                • Opcode Fuzzy Hash: c2dd29842cca926379c19f723b0ff620131187b3a19e11a9fd511e1e013bc536
                • Instruction Fuzzy Hash: 7C7113B1E01314BBDB10EBA59D85FDF77BCAF08704F45445AF605B7242E7789A808BA8
                Function 004010BF Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 132COMMON
                Download Yara Rule
                APIs
                • atoi.MSVCRT(?), ref: 004010C3
                • fprintf.MSVCRT ref: 0040155B
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                  • Part of subcall function 00401750: fprintf.MSVCRT ref: 00401766
                  • Part of subcall function 00401750: printf.MSVCRT ref: 0040177E
                  • Part of subcall function 00401750: exit.MSVCRT ref: 00401789
                  • Part of subcall function 00401750: printf.MSVCRT ref: 004017F9
                  • Part of subcall function 00401750: printf.MSVCRT ref: 00401817
                  • Part of subcall function 00401750: printf.MSVCRT ref: 00401835
                  • Part of subcall function 00401750: fflush.MSVCRT ref: 00401841
                  • Part of subcall function 00401750: calloc.MSVCRT ref: 0040185C
                  • Part of subcall function 00401750: calloc.MSVCRT ref: 0040186B
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                • Invalid number of requests, xrefs: 004010D9
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$printf$calloc$atoiexitfflush
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$Invalid number of requests$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 652337496-4066330456
                • Opcode ID: 4b91acfde98a41790a2f52f92089b9e57d965b314ece47fe5be4355c8ef3f700
                • Instruction ID: e79734e27559c954133449f1f081e856732bac6ef2ffc18207dc3d3d273de198
                • Opcode Fuzzy Hash: 4b91acfde98a41790a2f52f92089b9e57d965b314ece47fe5be4355c8ef3f700
                • Instruction Fuzzy Hash: 674173B4A00104ABD714DFA9DD81D2A7365EBC8308B14C57EF909EB3E1D638E945CB99
                Function 00907F5C Relevance: 19.7, APIs: 13, Instructions: 166fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0090A109: WaitForSingleObject.KERNEL32(?,000000FF,?,00904A00,00000001,00000000,?,009049E4,00000000,00000000,00906503,00000000,00000000,0090798B), ref: 0090A117
                • ReadFile.KERNEL32(?,00000000,00000020,?,00000000), ref: 00907FB5
                • SetLastError.KERNEL32(00000008), ref: 00907FD6
                • _malloc.LIBCMT ref: 00907FEF
                • _free.LIBCMT ref: 00908005
                • SetLastError.KERNEL32(00000000), ref: 00908014
                • GetLastError.KERNEL32 ref: 00908022
                • _free.LIBCMT ref: 0090802F
                • _memmove.LIBCMT ref: 00908076
                • htonl.WS2_32(?), ref: 00908081
                • _malloc.LIBCMT ref: 0090808E
                • _memcpy_s.LIBCMT ref: 009080B9
                • SetLastError.KERNEL32(00000000), ref: 009080EF
                • _free.LIBCMT ref: 009080F6
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$_free$_malloc$FileObjectReadSingleWait_memcpy_s_memmovehtonl
                • String ID:
                • API String ID: 3183376787-0
                • Opcode ID: 17e51e902376df02ad5d0e7171ccc41dbd2889459c43efd0945793619eb13668
                • Instruction ID: 6e13afea83b15f6f37be4f7ee2ef16309e4a4ae8f4276085b7cfa45e72d64975
                • Opcode Fuzzy Hash: 17e51e902376df02ad5d0e7171ccc41dbd2889459c43efd0945793619eb13668
                • Instruction Fuzzy Hash: B5515472D04209AFDB20DBE4CC85FDEB7BDAB48310F144465FA05E6191DB70EA549BA1
                Function 00902993 Relevance: 19.6, APIs: 13, Instructions: 103memoryCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 009029AC
                • GetVersionExW.KERNEL32(00000114,?,?,00000000), ref: 009029C5
                • GetLastError.KERNEL32(?,?,00000000), ref: 009029CF
                • SetLastError.KERNEL32(00000005,?,?,00000000), ref: 009029F0
                • VirtualAlloc.KERNEL32(00000000,00000052,00003000,00000040,00000000,00000000,?,?,00000000), ref: 00902A0C
                • GetLastError.KERNEL32(?,?,00000000), ref: 00902A15
                • VirtualAlloc.KERNEL32(00000000,00000149,00003000,00000040,?,?,00000000), ref: 00902A2C
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00902A34
                • VirtualFree.KERNEL32(?,00000000,00004000,?,?,?,?,?,?,?,?,00000000), ref: 00902AAD
                • VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,?,?,?,00000000), ref: 00902ABB
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastVirtual$AllocFree$Version_memset
                • String ID:
                • API String ID: 1729307151-0
                • Opcode ID: e19a84e62bd87661747cd82065fb04d7cc99092daff0539bf0cacd8a7cb718d5
                • Instruction ID: 996cd7431075c665b9ab31d3ba5350ed2eb80217777c141c1a67acdd2ce878fc
                • Opcode Fuzzy Hash: e19a84e62bd87661747cd82065fb04d7cc99092daff0539bf0cacd8a7cb718d5
                • Instruction Fuzzy Hash: A631C431B44309AFDB359F649D4AFDA77B8AF54B01F100065FB09E72C0DB709D909AA4
                Function 00909A41 Relevance: 19.6, APIs: 13, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00909A70
                  • Part of subcall function 0090F788: HeapFree.KERNEL32(00000000,00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?), ref: 0090F79C
                  • Part of subcall function 0090F788: GetLastError.KERNEL32(00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?,?), ref: 0090F7AE
                • _free.LIBCMT ref: 00909A81
                • _free.LIBCMT ref: 00909A92
                • _free.LIBCMT ref: 00909AA3
                • _free.LIBCMT ref: 00909AB4
                • _free.LIBCMT ref: 00909AC5
                • _free.LIBCMT ref: 00909AD6
                • GlobalFree.KERNEL32(00000000), ref: 00909AEF
                • GlobalFree.KERNEL32(00000000), ref: 00909AFE
                • _free.LIBCMT ref: 00909B0D
                • _free.LIBCMT ref: 00909B25
                • _free.LIBCMT ref: 00909B37
                • _free.LIBCMT ref: 00909B41
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free$Free$Global$ErrorHeapLast
                • String ID:
                • API String ID: 1580220124-0
                • Opcode ID: 37dfe57f52d9f08493c3006793f710b33d886644d5de92d91694d644d8a46955
                • Instruction ID: 40a153d3ea2043501b93a442198833f3676c752336419080f95ebb73cbaaf74e
                • Opcode Fuzzy Hash: 37dfe57f52d9f08493c3006793f710b33d886644d5de92d91694d644d8a46955
                • Instruction Fuzzy Hash: 14319832544B05DFCB359F25E9D0612BBF9BF48325B94463EE08A05CE3C730A892CE45
                Function 00906C7E Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 149COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandle_calloc_memmove$___from_strstr_to_strchr__snprintf_s_free_malloc
                • String ID: \\%s\pipe\%s
                • API String ID: 4243514083-540213758
                • Opcode ID: 2e6fc87e1336b02732d76223a52f80167a0c41bf566c8fe6d0472d1144f28853
                • Instruction ID: 6c6c1d117811018f00d0630f47cbc56a10c7b2fc3f959225b963016dc21c1b1d
                • Opcode Fuzzy Hash: 2e6fc87e1336b02732d76223a52f80167a0c41bf566c8fe6d0472d1144f28853
                • Instruction Fuzzy Hash: FE411576A40709BFD721AB74DC02BEBB7BCEF84710F104529F958A61C2EBB1D9608690
                Function 0040112B Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 128COMMON
                Download Yara Rule
                APIs
                • fprintf.MSVCRT ref: 0040155B
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                  • Part of subcall function 00401750: fprintf.MSVCRT ref: 00401766
                  • Part of subcall function 00401750: printf.MSVCRT ref: 0040177E
                  • Part of subcall function 00401750: exit.MSVCRT ref: 00401789
                  • Part of subcall function 00401750: printf.MSVCRT ref: 004017F9
                  • Part of subcall function 00401750: printf.MSVCRT ref: 00401817
                  • Part of subcall function 00401750: printf.MSVCRT ref: 00401835
                  • Part of subcall function 00401750: fflush.MSVCRT ref: 00401841
                  • Part of subcall function 00401750: calloc.MSVCRT ref: 0040185C
                  • Part of subcall function 00401750: calloc.MSVCRT ref: 0040186B
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • Cannot mix POST/PUT and HEAD, xrefs: 00401132
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$printf$calloc$exitfflush
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$Cannot mix POST/PUT and HEAD$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 1218975192-2439519685
                • Opcode ID: f8b07cf69736e50ab67558ff0588daad810697a5d73759921472412d3f3b2fd1
                • Instruction ID: 392d88f06bbced629e55fd60cb21604cd855796d70e8d899cb708ce0fd2956d0
                • Opcode Fuzzy Hash: f8b07cf69736e50ab67558ff0588daad810697a5d73759921472412d3f3b2fd1
                • Instruction Fuzzy Hash: FA4172B4A00104ABD714EF99ED81D2A7365EBC8308B14C57EF909EB3E1D638E945CB99
                Function 0040123D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 128COMMON
                Download Yara Rule
                APIs
                • atoi.MSVCRT(?), ref: 00401241
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$atoi
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 1898439266-1122596264
                • Opcode ID: ab53d8bc5da527ee0feb54d82162bafe25a98d8a808fa4c8e9d52b030ed552e7
                • Instruction ID: aa9f617b81f4437ef90117b7fb5f652c2059616a35c8ed6175574abd8a148348
                • Opcode Fuzzy Hash: ab53d8bc5da527ee0feb54d82162bafe25a98d8a808fa4c8e9d52b030ed552e7
                • Instruction Fuzzy Hash: C941A2B4A00104EBD714DFA4ED81D2A7365EBC8308B14C57EF909EB3E1D638E945CB98
                Function 0040114E Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • _strdup.MSVCRT(?), ref: 00401152
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$_strdup
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 1169352161-1122596264
                • Opcode ID: 12440ac565f6142b92c5f6ed79c01b06db47ebfc9094fbd820c5793d6e06a403
                • Instruction ID: 61739c06db0445b0aa7ca92dbf2048a62a7844db9e06b96a1d99b4ab2c9f5f53
                • Opcode Fuzzy Hash: 12440ac565f6142b92c5f6ed79c01b06db47ebfc9094fbd820c5793d6e06a403
                • Instruction Fuzzy Hash: 044171B4A00104EBD714DFA5ED81D2A7369EBC8308B14C57EF909EB3E1D638E945CB98
                Function 0040116D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • _strdup.MSVCRT(?), ref: 00401171
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$_strdup
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 1169352161-1122596264
                • Opcode ID: 333f515493014691ea9adab8963a3dba4cefa48062e40f184332333d5f353018
                • Instruction ID: a751faec121b572d8bebdd249e554fa6155a76d7d9c497ebc7685f8b486736f0
                • Opcode Fuzzy Hash: 333f515493014691ea9adab8963a3dba4cefa48062e40f184332333d5f353018
                • Instruction Fuzzy Hash: 284183B4A00104EBD714DFA5ED81D2A7369EBC8308B14C57EF905EB3E1D638E945CB98
                Function 00401102 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • atoi.MSVCRT(?), ref: 00401106
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$atoi
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 1898439266-1122596264
                • Opcode ID: 285a270088d641f77f5c3b298740d361e4ecbf503707714f0428369ac77dad53
                • Instruction ID: e2e755f66df4f0a0c0c1b6c2228099c74c4db24f2603499e0b6daa39f0af3246
                • Opcode Fuzzy Hash: 285a270088d641f77f5c3b298740d361e4ecbf503707714f0428369ac77dad53
                • Instruction Fuzzy Hash: 9A4183B4A00104EBD714DFA5ED91D2A7369EBC8308B14C57EF909EB3E1D638E945CB98
                Function 00401116 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • atoi.MSVCRT(?), ref: 0040111A
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$atoi
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 1898439266-1122596264
                • Opcode ID: 0ab57724d92000ca22b5cbd3326e1da87722eacedba54b8abff98e3aee9abdbd
                • Instruction ID: 5ead7e223a0408bfb9252aedc8425fb996e943740e62fd8a08dca869768123a1
                • Opcode Fuzzy Hash: 0ab57724d92000ca22b5cbd3326e1da87722eacedba54b8abff98e3aee9abdbd
                • Instruction Fuzzy Hash: 514182B4A00104EBD714DFA5ED91D2A7365EBC8308B14C57EF905EB3E1D638E945CB98
                Function 00401229 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • atoi.MSVCRT(?), ref: 0040122D
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$atoi
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 1898439266-1122596264
                • Opcode ID: 5937b50af52c7da9f3b42ae1a1b3a0a0a02e464b9be257520a923ff9efec17be
                • Instruction ID: 08013c388efca2fe28ebdd82844a539adbd35f472ec92180acb5311ffee17dd8
                • Opcode Fuzzy Hash: 5937b50af52c7da9f3b42ae1a1b3a0a0a02e464b9be257520a923ff9efec17be
                • Instruction Fuzzy Hash: 354172B4A00104EBD714DFA5ED91D2A7369EBC8308B14C57EF905EB3E1D638E945CB98
                Function 00909F43 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 111networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00909F6A
                • GetLastError.KERNEL32 ref: 00909F77
                • _memset.LIBCMT ref: 00909F8F
                • _memset.LIBCMT ref: 00909FA1
                • _memset.LIBCMT ref: 00909FAD
                • InternetCrackUrlW.WININET(?,00000000,00000000,0000003C), ref: 00909FE2
                • _free.LIBCMT ref: 00909FF1
                  • Part of subcall function 0090F788: HeapFree.KERNEL32(00000000,00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?), ref: 0090F79C
                  • Part of subcall function 0090F788: GetLastError.KERNEL32(00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?,?), ref: 0090F7AE
                • InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0090A025
                • InternetSetOptionW.WININET(?,0000002B,00000000,00000000), ref: 0090A059
                • InternetSetOptionW.WININET(?,0000002C,00000000,00000000), ref: 0090A073
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Internet$_memset$ErrorLastOption$ConnectCrackFreeHeapOpen_free
                • String ID: <
                • API String ID: 2538166667-4251816714
                • Opcode ID: 6b0199ee476f2b2b857619d731f4bedeabf701fe5dafa109a736ced6b24cd8f9
                • Instruction ID: efb596c84ca4bce693ac1367e89db8a07f58ad49a4b3774d1db7d491d2e9a0f2
                • Opcode Fuzzy Hash: 6b0199ee476f2b2b857619d731f4bedeabf701fe5dafa109a736ced6b24cd8f9
                • Instruction Fuzzy Hash: 5D412E71900608AFDB31AF62DC49E9BBBFCFB89700F00452EF649A25A1D775A985CB50
                Function 0090949D Relevance: 18.2, APIs: 12, Instructions: 234COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0090A109: WaitForSingleObject.KERNEL32(?,000000FF,?,00904A00,00000001,00000000,?,009049E4,00000000,00000000,00906503,00000000,00000000,0090798B), ref: 0090A117
                • SetLastError.KERNEL32(00000490), ref: 009094F3
                • SetLastError.KERNEL32(00000000), ref: 0090951B
                • GetLastError.KERNEL32 ref: 0090951D
                • SetLastError.KERNEL32(00000490), ref: 009096BD
                • GetLastError.KERNEL32 ref: 009096C2
                • _free.LIBCMT ref: 009096D3
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$ObjectSingleWait_free
                • String ID:
                • API String ID: 4243334350-0
                • Opcode ID: 1f78ec7ab42fdd963664ecab2400200574ac5b6ea8c4acf1eeea87485423916d
                • Instruction ID: 353fe61fe752c06e6030500732f229ee121136a95109915a512a3e4cd873b646
                • Opcode Fuzzy Hash: 1f78ec7ab42fdd963664ecab2400200574ac5b6ea8c4acf1eeea87485423916d
                • Instruction Fuzzy Hash: 27718EB1E00209AFDB14DFA5CC45BAEB7BCFF44310F104469F915E6282EB35EA508B90
                Function 00913C82 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • DecodePointer.KERNEL32(?,00000001,00913950,009254B0,00000008,00913A87,?,00000001,?,009254D0,0000000C,00913A26,?,00000001,?), ref: 00913C8A
                • _free.LIBCMT ref: 00913CA3
                  • Part of subcall function 0090F788: HeapFree.KERNEL32(00000000,00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?), ref: 0090F79C
                  • Part of subcall function 0090F788: GetLastError.KERNEL32(00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?,?), ref: 0090F7AE
                • _free.LIBCMT ref: 00913CB6
                • _free.LIBCMT ref: 00913CD4
                • _free.LIBCMT ref: 00913CE6
                • _free.LIBCMT ref: 00913CF7
                • _free.LIBCMT ref: 00913D02
                • _free.LIBCMT ref: 00913D26
                • EncodePointer.KERNEL32(006DADA8), ref: 00913D2D
                • _free.LIBCMT ref: 00913D42
                • _free.LIBCMT ref: 00913D58
                • _free.LIBCMT ref: 00913D80
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                • String ID:
                • API String ID: 3064303923-0
                • Opcode ID: fd5be8829a9451091bc7e0937b88ed81a0ff849766a2aafdbb64bd08eecf6ba9
                • Instruction ID: ab8622dc4d0d9dea100fba831881a9896fe6e0fc133180e71d5f4315732baf48
                • Opcode Fuzzy Hash: fd5be8829a9451091bc7e0937b88ed81a0ff849766a2aafdbb64bd08eecf6ba9
                • Instruction Fuzzy Hash: 3721A3B3A591158FCB307F25FC9155E77BCAB58321395413AF854A32B0C6349E83ABC2
                Function 00406840 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162networkCOMMON
                Download Yara Rule
                APIs
                • connect.WSOCK32(?,00000029,?,00401686,00401682,00000000), ref: 00406872
                • WSAGetLastError.WSOCK32 ref: 00406887
                • WSAGetLastError.WSOCK32 ref: 00406891
                • select.WSOCK32(00000041,00000000,?,?,?,?,?,000F4240,00000000,?,?,000F4240,00000000), ref: 00406923
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$connectselect
                • String ID: u
                • API String ID: 3361657481-3483738507
                • Opcode ID: 026e8efa42895d0f47fae0c319c09713302349c087e38c5d46c2d89564194933
                • Instruction ID: 1d19ce21af32cb8cfba87f123ab355a869ec54a57975a54dea637719fa212f1f
                • Opcode Fuzzy Hash: 026e8efa42895d0f47fae0c319c09713302349c087e38c5d46c2d89564194933
                • Instruction Fuzzy Hash: 4C51B7726002189BDB10DF59DD80AA7B7A8EB55320F0182BBED09EF3C1D675DD908FA4
                Function 00404560 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 151stringCOMMON
                Download Yara Rule
                APIs
                • strncmp.MSVCRT ref: 0040459E
                • strchr.MSVCRT ref: 004045B1
                  • Part of subcall function 00406E20: _isctype.MSVCRT ref: 00406E6A
                  • Part of subcall function 00406E20: atoi.MSVCRT(004117F4,00000000,00000000,00000000,?,00404612,00411800,00000000,004117F4,00000000,?,?,00000001,00000000,00000000), ref: 00406E96
                • strncmp.MSVCRT ref: 0040468A
                • fprintf.MSVCRT ref: 004046A6
                • exit.MSVCRT ref: 004046B1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: strncmp$_isctypeatoiexitfprintfstrchr
                • String ID: :%d$SSL not compiled in; no https support$[%s]$http://$https://
                • API String ID: 3246724901-1117888160
                • Opcode ID: eefcb7fab76bdf78d587105c61a45419284c841004e5b73b49525f651bbea66b
                • Instruction ID: 65c1391e878ccf4021e8b776280897804e76f477e12c5199a4c6732b80ff3124
                • Opcode Fuzzy Hash: eefcb7fab76bdf78d587105c61a45419284c841004e5b73b49525f651bbea66b
                • Instruction Fuzzy Hash: B841F8B5604204ABC7149B79EC41AA73BD8E7C5355F04817AFA09E77D1FA7A98008BAC
                Function 00401508 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 126COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040445F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404470
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404480
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404491
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004044A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004044B2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004044C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004044D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004044E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004044F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404509
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404519
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040452A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040453B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040454E
                  • Part of subcall function 00404310: exit.MSVCRT ref: 00404555
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$exit
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 3254994702-1122596264
                • Opcode ID: 07b9ea5e0d1babc831519186dc154dff18f62be67f2946326c56cb09979220f1
                • Instruction ID: 5f15d3f61ad8db70b309381baeff66024721affd82d1f5d92100a229b2f44f45
                • Opcode Fuzzy Hash: 07b9ea5e0d1babc831519186dc154dff18f62be67f2946326c56cb09979220f1
                • Instruction Fuzzy Hash: 664163B4A00104ABD714DF95ED81D2A7369EBC8308B14C57EF909EB3E1D639E945CB98
                Function 004010E9 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 125COMMON
                Download Yara Rule
                APIs
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 383729395-1122596264
                • Opcode ID: 031685a38cb8ec84c053011e6ff69e1fae24f659ac29dc227d0a29b78d98220f
                • Instruction ID: 6cadcbe2bfa87631e95da2c6a7e0c492c5801309cc710279db2da1d0a758b026
                • Opcode Fuzzy Hash: 031685a38cb8ec84c053011e6ff69e1fae24f659ac29dc227d0a29b78d98220f
                • Instruction Fuzzy Hash: CC4182B4A00104ABD714DFA5DD81D2A7369EBC8308B14C57EF905EB3E1D638ED45CB98
                Function 00401477 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 125COMMON
                Download Yara Rule
                APIs
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 383729395-1122596264
                • Opcode ID: 9298caabd16e2d83533ee0f1cb32972e874f66a9741b77fb0526e5fba719123f
                • Instruction ID: d846dd6a068fface60e1f41b01e3f3997aca640c09a05a452a478b2b379f4e25
                • Opcode Fuzzy Hash: 9298caabd16e2d83533ee0f1cb32972e874f66a9741b77fb0526e5fba719123f
                • Instruction Fuzzy Hash: 8F4171B4A00104ABD714DFA5DD81D2A7369EBC8308B14C57EF905EB3E1D638E945CB98
                Function 004014DF Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 125COMMON
                Download Yara Rule
                APIs
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 383729395-1122596264
                • Opcode ID: 3c7ef74adbd01b7975934a8cfbb17b3e8816584bb1af013fa8425970e7b5c2e4
                • Instruction ID: ac887286a6eb253591f567c4640287cd2f0e2bd19792aafaae3d728f094c2789
                • Opcode Fuzzy Hash: 3c7ef74adbd01b7975934a8cfbb17b3e8816584bb1af013fa8425970e7b5c2e4
                • Instruction Fuzzy Hash: DF4181B4A00104EBD714DF99ED81D2A73A5EBC8308B14C57EF909EB3E1D638E945CB98
                Function 004014F3 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 125COMMON
                Download Yara Rule
                APIs
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 383729395-1122596264
                • Opcode ID: 3175a9ab0fd6d70d8e810f3714546f1006a9b3ad2864429820382d2718c89cae
                • Instruction ID: 7ab4a14bd2d8d40e32e4f18f80d4a6b082302997e46063b29a1b0166f0c07ec4
                • Opcode Fuzzy Hash: 3175a9ab0fd6d70d8e810f3714546f1006a9b3ad2864429820382d2718c89cae
                • Instruction Fuzzy Hash: AC4190B4A00104EBD714DF99ED81D2A7369EBC8308B14C57EF909AB3E1D638ED45CB98
                Function 00401485 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 125COMMON
                Download Yara Rule
                APIs
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 383729395-1122596264
                • Opcode ID: a4da7b0ed50605e511d11ed83859cb0953c2f4cc1d0ac370ec43680eff2171f6
                • Instruction ID: ee865041bf328288626088181d699fa6e6fbf9613280e1ce13024c745c7f45c9
                • Opcode Fuzzy Hash: a4da7b0ed50605e511d11ed83859cb0953c2f4cc1d0ac370ec43680eff2171f6
                • Instruction Fuzzy Hash: A44181B4A00104ABD714DF95ED81D2A73A5EBC8308B14C57EF905AB3E1D638E945CB98
                Function 004010F8 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 123COMMON
                Download Yara Rule
                APIs
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 383729395-1122596264
                • Opcode ID: 23de69ab10ec41c1002a238087b9dc6cdb6510706ff49b111b7cdbad1313085b
                • Instruction ID: 0f592a4bf3fa4828cae782fe56355146e2273eabbc9180dcb22d222479ef9216
                • Opcode Fuzzy Hash: 23de69ab10ec41c1002a238087b9dc6cdb6510706ff49b111b7cdbad1313085b
                • Instruction Fuzzy Hash: 2D4183B4A00104ABD714DF99DD81D2A7369EBC8308B14C57FF909EB3E1D639E945CB98
                Function 00401163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 123COMMON
                Download Yara Rule
                APIs
                • fprintf.MSVCRT ref: 0040155B
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040432D
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040433E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040434E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040435F
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404370
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404380
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404391
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043A2
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043B5
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043C6
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043D7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043E7
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 004043F8
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404409
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 00404419
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040442A
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040443E
                  • Part of subcall function 00404310: fprintf.MSVCRT ref: 0040444E
                • fprintf.MSVCRT ref: 004015A8
                • fprintf.MSVCRT ref: 004015E2
                • fprintf.MSVCRT ref: 00401616
                Strings
                • %s: invalid URL, xrefs: 004015A2
                • %s: Invalid Concurrency [Range 0..%d], xrefs: 004015DC
                • %s: wrong number of arguments, xrefs: 00401555
                • %s: Cannot use concurrency level greater than total number of requests, xrefs: 00401610
                • gfff, xrefs: 0040163C
                • n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq, xrefs: 00401521
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf
                • String ID: %s: Cannot use concurrency level greater than total number of requests$%s: Invalid Concurrency [Range 0..%d]$%s: invalid URL$%s: wrong number of arguments$gfff$n:c:t:b:T:p:u:v:rkVhwix:y:z:C:H:P:A:g:X:de:Sq
                • API String ID: 383729395-1122596264
                • Opcode ID: 14b627dde1f883c54ffc08f4aeeffea8bf23715a582640649a8e740ddf1c24fd
                • Instruction ID: ca0ea338b193e0236818bdd2c217bea1a93a6fb7730b26cb357f3830e49628e4
                • Opcode Fuzzy Hash: 14b627dde1f883c54ffc08f4aeeffea8bf23715a582640649a8e740ddf1c24fd
                • Instruction Fuzzy Hash: FB4172B4A00104ABD714DF99DD81D2A7369EBC8308B14C57EF909EB3E1D638E945CB98
                Function 00908379 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122pipeCOMMON
                Download Yara Rule
                APIs
                • _wcsstr.LIBCMT ref: 009083DA
                • _wcschr.LIBCMT ref: 009083E8
                • _wcschr.LIBCMT ref: 009083F6
                • _calloc.LIBCMT ref: 00908425
                • __snprintf_s.LIBCMT ref: 0090843F
                • SetHandleInformation.KERNEL32(000000FF,00000001,00000000), ref: 009084B3
                • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000), ref: 00908463
                  • Part of subcall function 00905078: GetSystemTime.KERNEL32(?,?,?,?,?,?,00907926), ref: 00905082
                  • Part of subcall function 00905078: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,00907926), ref: 00905090
                  • Part of subcall function 00905078: __aulldiv.LIBCMT ref: 009050B0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Time$HandleSystem_wcschr$FileInformationNamedPipeState__aulldiv__snprintf_s_calloc_wcsstr
                • String ID: \\%s\pipe\%s$\\.\$pipe
                • API String ID: 101525352-8644039
                • Opcode ID: 321b06d6241b0a1a8c73438c1937dfecf967425ed37c5f29928130028186a6b4
                • Instruction ID: f02e46c41676be37348c0e32e8a52090ab9e662d50a55ea368b2de64e10b8c5e
                • Opcode Fuzzy Hash: 321b06d6241b0a1a8c73438c1937dfecf967425ed37c5f29928130028186a6b4
                • Instruction Fuzzy Hash: 5141F6B2B00216BFDF20AF64CC46BDA776CAF54720F104165FA48E71D2EB719990CB91
                Function 0041EED2 Relevance: 16.6, APIs: 11, Instructions: 96COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 85022235424f8599b0bd29cc37f4bae05b1ecaf08c9207c4899039a5679603ad
                • Instruction ID: 65e70e2c02b6a878ef7fd0ce46ba98086fd072bd7a029de640d2401243a33392
                • Opcode Fuzzy Hash: 85022235424f8599b0bd29cc37f4bae05b1ecaf08c9207c4899039a5679603ad
                • Instruction Fuzzy Hash: BF318D35505B11EFC7245F2BEA90642BBE1FF44318B54453FE94A06961C739A8E1CE4C
                Function 00909C51 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 00909C5C
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _malloc.LIBCMT ref: 00909C65
                • _memset.LIBCMT ref: 00909C81
                • _memset.LIBCMT ref: 00909C8C
                • _free.LIBCMT ref: 00909D3E
                • _memcmp.LIBCMT ref: 00909D68
                • _malloc.LIBCMT ref: 00909D76
                • _memmove.LIBCMT ref: 00909D88
                  • Part of subcall function 00905078: GetSystemTime.KERNEL32(?,?,?,?,?,?,00907926), ref: 00905082
                  • Part of subcall function 00905078: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,00907926), ref: 00905090
                  • Part of subcall function 00905078: __aulldiv.LIBCMT ref: 009050B0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Time_malloc$System_memset$AllocateFileHeap__aulldiv_free_memcmp_memmove
                • String ID: https
                • API String ID: 802662995-1056335270
                • Opcode ID: 2070a29ffa54c585ab210ede40d0000f2af5a9c22f8f7f956c8a402f623d116f
                • Instruction ID: ec57b574109964b627ed2da0899ce24da78144786ca77f0b7a6980fb814c5f04
                • Opcode Fuzzy Hash: 2070a29ffa54c585ab210ede40d0000f2af5a9c22f8f7f956c8a402f623d116f
                • Instruction Fuzzy Hash: AB517CB1A00B05AFD724EF34D845B96B7F8FF44310F10852AE949DB2C2E774A9858F90
                Function 00404730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 121COMMON
                Download Yara Rule
                APIs
                Strings
                • ab: Could not read POST data file: %s, xrefs: 00404841
                • ab: Could not stat POST data file (%s): %s, xrefs: 004047BA
                • ab: Could not open POST data file (%s): %s, xrefs: 00404771
                • ab: Could not allocate POST data buffer, xrefs: 004047F5
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf
                • String ID: ab: Could not allocate POST data buffer$ab: Could not open POST data file (%s): %s$ab: Could not read POST data file: %s$ab: Could not stat POST data file (%s): %s
                • API String ID: 383729395-630050437
                • Opcode ID: 3b2107b143804c888e19e2c907a6e6db38d0adb568f7d1294eb3f88bf2949e33
                • Instruction ID: 5ec1177bad957eee24e51120d1417a840a2af49dcd0325367be3a27fb0bc9ce3
                • Opcode Fuzzy Hash: 3b2107b143804c888e19e2c907a6e6db38d0adb568f7d1294eb3f88bf2949e33
                • Instruction Fuzzy Hash: DE31D8B2640104A7D310EB69DC46EAB336CDB84714F00827AFD08B7281D679DC1987DC
                Function 009096F5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84COMMON
                Download Yara Rule
                APIs
                • WinHttpOpen.WINHTTP(?,00000000,00000000,00000000,00000000), ref: 0090971C
                • GetLastError.KERNEL32 ref: 00909729
                • _memset.LIBCMT ref: 00909741
                • _memset.LIBCMT ref: 00909753
                • _memset.LIBCMT ref: 0090975F
                • WinHttpCrackUrl.WINHTTP(?,00000000,00000000,0000003C), ref: 00909794
                • _free.LIBCMT ref: 009097A3
                  • Part of subcall function 0090F788: HeapFree.KERNEL32(00000000,00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?), ref: 0090F79C
                  • Part of subcall function 0090F788: GetLastError.KERNEL32(00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?,?), ref: 0090F7AE
                • WinHttpConnect.WINHTTP(?,?,?,00000000), ref: 009097D2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Http_memset$ErrorLast$ConnectCrackFreeHeapOpen_free
                • String ID: <
                • API String ID: 2670675293-4251816714
                • Opcode ID: 0340bedfbf3c6892ceb3f4f5cd8f3aa7669c9466d3383eec373ad4fb35606b6c
                • Instruction ID: 29d9decc6fe92f2640a70e650979ee48433f15b6311fdac91c8547a49a89eb1e
                • Opcode Fuzzy Hash: 0340bedfbf3c6892ceb3f4f5cd8f3aa7669c9466d3383eec373ad4fb35606b6c
                • Instruction Fuzzy Hash: 68314F72905118BBCB21AFA1DC88ADABBBCFF48310F004166F508A2191D7359694CFD0
                Function 00906862 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72threadlibraryloaderCOMMON
                Download Yara Rule
                APIs
                • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000), ref: 00906888
                • GetLastError.KERNEL32(?,?,009028E3,?,00100000,00000000,?,00000004,00000000,00000000,00000000,?,?,?,00901DFF), ref: 00906891
                • GetModuleHandleA.KERNEL32(ntdll,RtlCreateUserThread,?,?,009028E3,?,00100000,00000000,?,00000004,00000000,00000000,00000000), ref: 009068BA
                • GetProcAddress.KERNEL32(00000000), ref: 009068C1
                • SetLastError.KERNEL32(00000000,?,?,009028E3,?,00100000,00000000,?,00000004,00000000,00000000,00000000,?,?,?,00901DFF), ref: 009068F8
                • GetThreadId.KERNEL32(00000000,?,?,009028E3,?,00100000,00000000,?,00000004,00000000,00000000,00000000,?,?,?,00901DFF), ref: 00906909
                • SetLastError.KERNEL32(00000008,?,?,009028E3,?,00100000,00000000,?,00000004,00000000,00000000,00000000,?,?,?,00901DFF), ref: 00906915
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$Thread$AddressCreateHandleModuleProcRemote
                • String ID: RtlCreateUserThread$ntdll
                • API String ID: 1819768294-687317052
                • Opcode ID: 0cccab93ed5d3d91835c3379926c9e771868496ef1f66f9a7d5190862499ac46
                • Instruction ID: 96a4b3295d750a674707fba875df41d9597af9f5e3540e72bea95dcc6b8ca63a
                • Opcode Fuzzy Hash: 0cccab93ed5d3d91835c3379926c9e771868496ef1f66f9a7d5190862499ac46
                • Instruction Fuzzy Hash: C921897291421AAFDF208F55ED48AAB3BAEFF58394F104028FD1596160D7358D72EFA0
                Function 004063A0 Relevance: 15.2, APIs: 10, Instructions: 197networkCOMMON
                Download Yara Rule
                APIs
                • select.WSOCK32(680040C1,?,?,?,?,00000000,01C9C380,000F4240,00000000,00000000,01C9C380,000F4240,00000000,?,00000000,00000002), ref: 0040645B
                • WSAGetLastError.WSOCK32(?,00000000,00000002,?,00401C1D,?,01C9C380,00000000,00401682,?), ref: 00406472
                • WSAGetLastError.WSOCK32(?,00000000,00000002,?,00401C1D,?,01C9C380,00000000,00401682,?), ref: 0040647C
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$select
                • String ID:
                • API String ID: 1043644060-0
                • Opcode ID: 58822c8b23c4319a487e678a5c4bbf1e94a5b354173d89a4ba058f0c902d929b
                • Instruction ID: aad14e84e10316805939aba1b1148483d37d4f43af9cd58d41b426ceb4abba25
                • Opcode Fuzzy Hash: 58822c8b23c4319a487e678a5c4bbf1e94a5b354173d89a4ba058f0c902d929b
                • Instruction Fuzzy Hash: 85718572A002199BDB11CF15DC80AAB77A8FF44314F0580BAED09EB251D775EA51CBA8
                Function 00904097 Relevance: 15.2, APIs: 10, Instructions: 155COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 009040B2
                • htonl.WS2_32(?), ref: 009040E4
                • htonl.WS2_32(00000000), ref: 009040F0
                • htonl.WS2_32(00000000), ref: 0090413E
                • htonl.WS2_32(?), ref: 00904145
                • _malloc.LIBCMT ref: 00904169
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • htonl.WS2_32(?), ref: 00904183
                • _malloc.LIBCMT ref: 00904191
                  • Part of subcall function 009049B9: _malloc.LIBCMT ref: 009049BC
                • _free.LIBCMT ref: 0090420C
                • _free.LIBCMT ref: 00904216
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: htonl$_malloc$_free$AllocateHeap_memset
                • String ID:
                • API String ID: 4051244826-0
                • Opcode ID: 621847636d3cad27744e34e5b7610d03eceed449332f1abed10b970693d7adc0
                • Instruction ID: bdca75acaf05415dd0a92eff4f3d0c4a0315279ec5fa6577a98290676f107884
                • Opcode Fuzzy Hash: 621847636d3cad27744e34e5b7610d03eceed449332f1abed10b970693d7adc0
                • Instruction Fuzzy Hash: 82517EB1A04215EFDF20CF68C880B6ABBF9EF54310F248569EA18D7295D731ED91DB90
                Function 00908921 Relevance: 15.1, APIs: 10, Instructions: 111networkCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00908946
                • WSAStartup.WS2_32(00000202,?), ref: 0090895A
                • WSAGetLastError.WS2_32 ref: 00908964
                • socket.WS2_32(00000017,00000001,00000006), ref: 00908985
                • setsockopt.WS2_32(00000000,00000029,0000001B,?,00000004), ref: 0090899F
                • closesocket.WS2_32(00000000), ref: 009089AB
                • socket.WS2_32(00000002,00000001,00000006), ref: 009089BE
                • htons.WS2_32(00000000), ref: 009089DE
                • htons.WS2_32(?), ref: 009089F0
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: htonssocket$ErrorLastStartup_memsetclosesocketsetsockopt
                • String ID:
                • API String ID: 1629790708-0
                • Opcode ID: e2c085db15724be878bfdaf2978ea9faa38a89f8dfe8c0aa2a1e29d9138bc2a3
                • Instruction ID: 90a1c261c27fafa0ffc1093b871149d46e4469d253a46bbc7f88d83c5ec5b376
                • Opcode Fuzzy Hash: e2c085db15724be878bfdaf2978ea9faa38a89f8dfe8c0aa2a1e29d9138bc2a3
                • Instruction Fuzzy Hash: E2318372A40318BFEB209BA4AC05BEE77B9EF08720F104552FA14EB1D1D7B14E509794
                Function 00429113 Relevance: 15.1, APIs: 10, Instructions: 84COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 0415da6205f70a90d8d3c188dfb52d74e4a77dc578d2cad38fb35f8fadc55e0d
                • Instruction ID: c87055fb3c227e429cc28165ff3e93f54f037344c7a90dd6675d94c7a7bed220
                • Opcode Fuzzy Hash: 0415da6205f70a90d8d3c188dfb52d74e4a77dc578d2cad38fb35f8fadc55e0d
                • Instruction Fuzzy Hash: 8A218132A02136CFFB246F9BBDD58667764EB443687B6006FE90493321C7395C92CB98
                Function 0040B63A Relevance: 15.1, APIs: 10, Instructions: 74COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__p__commode__p__fmode__set_app_type__setusermatherrexit
                • String ID:
                • API String ID: 167530163-0
                • Opcode ID: 47c624472f200f94fb779e5d7000b49dbfff1e67262a55665e34829eb83f0402
                • Instruction ID: 8e3cf1961e8c3bc3bc3059838a8df93c3fb1380d112581f8814b14db448a8bc5
                • Opcode Fuzzy Hash: 47c624472f200f94fb779e5d7000b49dbfff1e67262a55665e34829eb83f0402
                • Instruction Fuzzy Hash: F331F9B5940204EFDB149BE4DD85FA97B78FB09728F10423AF615B62E0CB795844CB6C
                Function 009048CA Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 81memoryinjectionlibraryCOMMON
                Download Yara Rule
                APIs
                • VirtualAlloc.KERNEL32(?,?,00003000,00000040,?,?,?,00000000,?,009043F1,00000100,?,000000FF,00000000), ref: 009048F2
                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,?,?,00000000,?,009043F1,00000100,?,000000FF,00000000), ref: 00904909
                • GetModuleHandleA.KERNEL32(ntdll,NtLockVirtualMemory,?,?,?,00000000,?,009043F1,00000100,?,000000FF,00000000), ref: 00904924
                • GetProcAddress.KERNEL32(00000000), ref: 0090492B
                • WriteProcessMemory.KERNEL32(000000FF,?,?,?,00000000,?,?,?,00000000,?,009043F1,00000100,?,000000FF,00000000), ref: 00904965
                • WriteProcessMemory.KERNEL32(000000FF,?,?,?,00000000,?,?,?,00000000,?,009043F1,00000100,?,000000FF,00000000), ref: 0090499A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AllocMemoryProcessVirtualWrite$AddressHandleModuleProc
                • String ID: NtLockVirtualMemory$ntdll
                • API String ID: 1502369038-2974287352
                • Opcode ID: 801fe5f74f892f2e9c68e508c31731d30eb2af5db91f726c79cf11b0bc44aa17
                • Instruction ID: 289d8f370519c1a2e47581509d012dbd540ae8792014ba12d91c4b82c5dd1fc1
                • Opcode Fuzzy Hash: 801fe5f74f892f2e9c68e508c31731d30eb2af5db91f726c79cf11b0bc44aa17
                • Instruction Fuzzy Hash: 71316D72204605BFCB148FA4DC85BE6B7A4FF18710F108619F66A86290D7B0B9A0CFA4
                Function 00408DB0 Relevance: 13.8, APIs: 9, Instructions: 303networkCOMMON
                Download Yara Rule
                APIs
                • #21.WSOCK32(?,0000FFFF,00000008,?,00000004,00000001,00401686,?,00000001,00000000,?,00401682,?,00000000,00000000,00000001), ref: 00408E13
                • #21.WSOCK32(?,0000FFFF,00000001,0040167E,00000004,00000001,?,?,?,01C9C380,00000000,00401682,?), ref: 00408E6E
                • #21.WSOCK32(?,0000FFFF,00000004,?,00000004), ref: 00408ECD
                • #21.WSOCK32(?,0000FFFF,00000080,?,00000004,00401682,?,?,004038EF,?,00000008,00000001,00401686,?,00000001,00000000), ref: 00408FA6
                • #21.WSOCK32(?,0000FFFF,00001001,00000000,00000004,00401682,?,?,004038EF,?,00000008,00000001,00401686,?,00000001,00000000), ref: 00408FF2
                • #21.WSOCK32(?,00000006,00000001,00000000,00000004,00401682,?,?,004038EF,?,00000008,00000001,00401686,?,00000001,00000000), ref: 0040905A
                • WSAGetLastError.WSOCK32(?,?,004038EF,?,00000008,00000001,00401686,?,00000001,00000000,?,00401682,?,00000000,00000000,00000001), ref: 0040906B
                • WSAGetLastError.WSOCK32(?,?,004038EF,?,00000008,00000001,00401686,?,00000001,00000000,?,00401682,?,00000000,00000000,00000001), ref: 00409078
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast
                • String ID:
                • API String ID: 1452528299-0
                • Opcode ID: a86d585026920662851b595f17812258bda62de1e2180445dab3d01c6b994e67
                • Instruction ID: 8f8cd576bd819d0c97d16d3837d398608ac9677c7d9be360b0a79d045ce8cd1c
                • Opcode Fuzzy Hash: a86d585026920662851b595f17812258bda62de1e2180445dab3d01c6b994e67
                • Instruction Fuzzy Hash: F191D1726106059BE720CF68DD81AAB73D9EF44320F14863FF946EBAD0E635EC508B84
                Function 0041C7AC Relevance: 13.7, APIs: 9, Instructions: 235COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free$_memmove$_calloc_memcmp$_malloc
                • String ID:
                • API String ID: 2902935266-0
                • Opcode ID: 6bc298a833a54739878fe08eb137a039b4a9d01427948cc109b0d71c5212d9bc
                • Instruction ID: 8f29f4b3f3d1a0ee79411d15287983b5826c9e71d54d5700be49209301217213
                • Opcode Fuzzy Hash: 6bc298a833a54739878fe08eb137a039b4a9d01427948cc109b0d71c5212d9bc
                • Instruction Fuzzy Hash: 85818172940214BBDB109F65DC81BDA77A8EF09314F08407EFD489F256DBB999D0CBA8
                Function 0041C30F Relevance: 13.7, APIs: 9, Instructions: 230COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: ac0eac948233f75dccb7baf4eff6d5b6d02b4447ba01dc7d715fb3e4f68a81ed
                • Instruction ID: d68e1f8e204babec0809ae61b4563049396e59334b7c486d1d2070dd11dc435b
                • Opcode Fuzzy Hash: ac0eac948233f75dccb7baf4eff6d5b6d02b4447ba01dc7d715fb3e4f68a81ed
                • Instruction Fuzzy Hash: C471F271640615BBD7259B71CCC5FEBB7ACFF08314F40022BF51996281DB78A9E18B98
                Function 009087B2 Relevance: 13.6, APIs: 9, Instructions: 97networkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$Startup_memsetfreeaddrinfogetaddrinfosocket
                • String ID:
                • API String ID: 3817943115-0
                • Opcode ID: d0d3e40bc160b96f1c7b4ad1394ef62a1907dec34dd7a7b7a95efa17a265f5b3
                • Instruction ID: 52c33ff61e042828abb8e1e7246e06807f75dd398fa0cd30cbee0c19e5278056
                • Opcode Fuzzy Hash: d0d3e40bc160b96f1c7b4ad1394ef62a1907dec34dd7a7b7a95efa17a265f5b3
                • Instruction Fuzzy Hash: DF316D75E00208EFCB209FA0DC48ADEBB79FF44360F108559F925E72A0DB3499619F90
                Function 00403860 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 176COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00404CE0: free.MSVCRT ref: 00404DE4
                • fprintf.MSVCRT ref: 004039FB
                  • Part of subcall function 00401E40: fprintf.MSVCRT ref: 00401E6B
                  • Part of subcall function 00401E40: printf.MSVCRT ref: 00401E83
                  • Part of subcall function 00401E40: exit.MSVCRT ref: 00401E8D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fprintf$exitfreeprintf
                • String ID: Test aborted after 10 failures$apr_socket_connect()$socket$socket nonblock$socket receive buffer$socket send buffer
                • API String ID: 2990634465-2661476521
                • Opcode ID: 3ec612c9898c77c8d636f9c2587b9eb1d5113d46ff696605a61dc9c2ac0b560f
                • Instruction ID: de91daf92c30cbec868cb37b282e72f7f736d9f3d13f6e05d6dd97bf14499f43
                • Opcode Fuzzy Hash: 3ec612c9898c77c8d636f9c2587b9eb1d5113d46ff696605a61dc9c2ac0b560f
                • Instruction Fuzzy Hash: 6651C7B5A002019FD710EF55ECC1AABB7E8EB44304B10C57FF549A3391D7B8AD448BA9
                Function 00406FA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115networkstringCOMMON
                Download Yara Rule
                APIs
                • strspn.MSVCRT ref: 00406FD2
                • inet_addr.WSOCK32(00000000,?,?,?,?,?,004117FC,?,00000000,00000000,00000000,?), ref: 00406FF2
                • gethostbyname.WSOCK32(00000000,00401B22,00000000,00000002,Connection: Keep-Alive,?,00401B22,004117FC,?,00000000,00000000,00000000,?), ref: 0040707E
                • WSAGetLastError.WSOCK32(?,00401B22,004117FC,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004117F8), ref: 00407091
                • WSAGetLastError.WSOCK32(?,00401B22,004117FC,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004117F8), ref: 00407097
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$gethostbynameinet_addrstrspn
                • String ID: 0.0.0.0$0123456789.
                • API String ID: 601764835-1678653780
                • Opcode ID: adce9aa9bb6b8959386101f623a4314ccc050b20d311c3b00f80d0c74d0fbbcc
                • Instruction ID: 506d2f1c4acc5398e38741b33c180efab8e8d3cc86edfdb96eb05c5fc29cf7f8
                • Opcode Fuzzy Hash: adce9aa9bb6b8959386101f623a4314ccc050b20d311c3b00f80d0c74d0fbbcc
                • Instruction Fuzzy Hash: B7416D71E012199FCB10CF69C98099AB7E5EF88324F10827AE819E7391D679ED42CF95
                Function 0090779C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 94pipeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0090770B: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,009077B7,SeSecurityPrivilege,00000001,?,?,00000000,?), ref: 00907717
                  • Part of subcall function 0090770B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,009077B7,SeSecurityPrivilege,00000001,?,?,00000000,?), ref: 0090771E
                  • Part of subcall function 0090770B: GetLastError.KERNEL32(?,?,?,?,?,009077B7,SeSecurityPrivilege,00000001,?,?,00000000,?,?,?,?,?), ref: 00907728
                • CreateNamedPipeA.KERNEL32(?,40000003,00000000,000000FF,00010000,00010000,00000000,?), ref: 009077F5
                • CreateNamedPipeA.KERNEL32(?,40000003,00000000,000000FF,00010000,00010000,00000000,00000000), ref: 00907838
                • GetLastError.KERNEL32 ref: 00907845
                  • Part of subcall function 00907604: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,762322C0), ref: 00907632
                  • Part of subcall function 00907604: SetEntriesInAclW.ADVAPI32(00000001,?,00000000,?,?), ref: 00907676
                  • Part of subcall function 00907604: AllocateAndInitializeSid.ADVAPI32(?,00000001,00001000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,009077D9), ref: 0090769E
                  • Part of subcall function 00907604: LocalAlloc.KERNEL32(00000040,00000100), ref: 009076AE
                  • Part of subcall function 00907604: InitializeAcl.ADVAPI32(00000000,00000100,00000004), ref: 009076B6
                  • Part of subcall function 00907604: LocalAlloc.KERNEL32(00000040,00000014,00000000,00000004,00000004,00000000,009077D9), ref: 009076D0
                  • Part of subcall function 00907604: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 009076D7
                  • Part of subcall function 00907604: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 009076E4
                  • Part of subcall function 00907604: SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 009076EF
                • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 0090785B
                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00907869
                  • Part of subcall function 0090770B: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 00907739
                  • Part of subcall function 0090770B: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,?,00000000), ref: 00907776
                  • Part of subcall function 0090770B: CloseHandle.KERNEL32(?), ref: 00907790
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: CreateInitialize$DescriptorSecurity$AllocAllocateErrorEventLastLocalNamedPipeProcessToken$AdjustCloseCurrentDaclEntriesHandleLookupOpenPrivilegePrivilegesSaclValue
                • String ID: SeSecurityPrivilege$SeSecurityPrivilege
                • API String ID: 2580897795-1340523147
                • Opcode ID: 88538516a6776954d0b97519971ba280ecde5928942df17ceb0fcc438cb39a19
                • Instruction ID: 36dfd945ea4090d1ec3f9544f5eb948ceaa42cf92f7c5a86e5916a2ec4c7b103
                • Opcode Fuzzy Hash: 88538516a6776954d0b97519971ba280ecde5928942df17ceb0fcc438cb39a19
                • Instruction Fuzzy Hash: 67218271A45625BED7219BA59C89FEBBB6CFF49770F004221FA18D21C0D7B0A950C6E4
                Function 00909E2E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53networkCOMMON
                Download Yara Rule
                APIs
                • HttpOpenRequestW.WININET(?,GET,?,00000000,00000000,00000000,84600200,00000000), ref: 00909E64
                • SetLastError.KERNEL32(00000490), ref: 00909E75
                • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 00909E91
                • SetLastError.KERNEL32(00000490), ref: 00909EA0
                • InternetCloseHandle.WININET(00000000), ref: 00909EA7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorInternetLast$CloseHandleHttpOpenOptionRequest
                • String ID: GET$POST
                • API String ID: 4051435859-3192705859
                • Opcode ID: 454bb4eba449810e09db7bedbc83ea0e9cdab97f9a481fc99c24659ab31268c9
                • Instruction ID: 0700c7a9ddff9ec4c736898f9aea3af33a19a506a86044c6c87e9a28378ea172
                • Opcode Fuzzy Hash: 454bb4eba449810e09db7bedbc83ea0e9cdab97f9a481fc99c24659ab31268c9
                • Instruction Fuzzy Hash: 8C01D47020821ABFEB204F51DC89AAB77ACEF14795F014035FA06D6191D730CD909BF0
                Function 00907B77 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,0000001C,00000000,?,009079F7), ref: 00907B8E
                • GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 00907BA0
                • GetCurrentProcessId.KERNEL32(009079F7,0000001C,00000000,?,009079F7), ref: 00907BBA
                • ProcessIdToSessionId.KERNEL32(00000000,?,009079F7), ref: 00907BC1
                • FreeLibrary.KERNEL32(00000000,?,009079F7), ref: 00907BDA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: LibraryProcess$AddressCurrentFreeLoadProcSession
                • String ID: ProcessIdToSessionId$kernel32.dll
                • API String ID: 4183634105-3889420803
                • Opcode ID: b678e0e2eb6d711bfc51acbbbc48e5102369098b6c16231809e6b360332671f8
                • Instruction ID: 8ddfc48966f013f196dda3320c19e75b366fb9f2534596f8a42e3a90d65f28fa
                • Opcode Fuzzy Hash: b678e0e2eb6d711bfc51acbbbc48e5102369098b6c16231809e6b360332671f8
                • Instruction Fuzzy Hash: 02F08131D19628EFCB30DFB4ED0A99EB7ADBF087607000655EC02A3694DB70AD12E791
                Function 0041ADA1 Relevance: 12.2, APIs: 8, Instructions: 182COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0041A58B: __time64.LIBCMT ref: 0041A599
                  • Part of subcall function 0041A58B: _rand.LIBCMT ref: 0041A5B2
                  • Part of subcall function 0041A58B: _rand.LIBCMT ref: 0041A5C6
                  • Part of subcall function 0041A58B: _rand.LIBCMT ref: 0041A5D3
                  • Part of subcall function 0041A58B: _rand.LIBCMT ref: 0041A5E0
                • _memcpy_s.LIBCMT ref: 0041ADCD
                • _memcpy_s.LIBCMT ref: 0041AEA8
                • _memcpy_s.LIBCMT ref: 0041AEF2
                • _memcpy_s.LIBCMT ref: 0041AF02
                • _malloc.LIBCMT ref: 0041AE80
                  • Part of subcall function 00424C51: __FF_MSGBANNER.LIBCMT ref: 00424C68
                  • Part of subcall function 00424C51: __NMSG_WRITE.LIBCMT ref: 00424C6F
                • _malloc.LIBCMT ref: 0041AF27
                • _memcpy_s.LIBCMT ref: 0041AF45
                • _memcpy_s.LIBCMT ref: 0041AF57
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memcpy_s$_rand$_malloc$__time64
                • String ID:
                • API String ID: 2880942210-0
                • Opcode ID: e2cb14402a0e6ddf839a85a0354db3993c8b0060b104657729bd989c7436d2ae
                • Instruction ID: b60132007459125a55db229e3a27bb9a6ddd470e52ab9f877e891b7d2999d223
                • Opcode Fuzzy Hash: e2cb14402a0e6ddf839a85a0354db3993c8b0060b104657729bd989c7436d2ae
                • Instruction Fuzzy Hash: D8619EB5A00208EFEB109F65CC85FDA3BB8EF08314F154056F904AB251D7B5E9A1DBA5
                Function 0041F0E2 Relevance: 12.2, APIs: 8, Instructions: 163COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _malloc$_memset$__aulldiv_free_memcmp_memmove
                • String ID:
                • API String ID: 3316937673-0
                • Opcode ID: 554e7431fefcdf96d2cf6790a50c1959e2f51736910163403590e397ee381b12
                • Instruction ID: 05b7a2ef8f49ed570a5ccb1fb6b0a3ab7a59813af956a03f3346b2318f082317
                • Opcode Fuzzy Hash: 554e7431fefcdf96d2cf6790a50c1959e2f51736910163403590e397ee381b12
                • Instruction Fuzzy Hash: 10516EB1600700AFE714EF35D841A97B7E4EF04314F90452EE94ADB285EB79D985CB94
                Function 0041C10F Relevance: 12.1, APIs: 8, Instructions: 149COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _calloc_memmove$___from_strstr_to_strchr__snprintf_s_free_malloc
                • String ID:
                • API String ID: 3263195834-0
                • Opcode ID: 275ec6efab36fb76833f6a32e898521093dda992f60fb60b29f173df6d4d7b9b
                • Instruction ID: df9d32be3fb270424bbd993a907d5fb6eb5d3178c375ef85ca761e81d9e765c6
                • Opcode Fuzzy Hash: 275ec6efab36fb76833f6a32e898521093dda992f60fb60b29f173df6d4d7b9b
                • Instruction Fuzzy Hash: 0D414F71E80705BBD7216B659C82FEB77A8EF04314F50052FF918A6282EF7DD9808698
                Function 0090424E Relevance: 12.1, APIs: 8, Instructions: 104COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 00904288
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _free.LIBCMT ref: 0090435C
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap_free_malloc
                • String ID:
                • API String ID: 1020059152-0
                • Opcode ID: 998ad1fe2278071fac1a8ab7afa68583e0ba7f6fafc8072260e002ed7080ad6b
                • Instruction ID: 7325fc87d3d3ec9d52215740eef4c853dcd39bd48e8a65eb2e3b33bc465d24a1
                • Opcode Fuzzy Hash: 998ad1fe2278071fac1a8ab7afa68583e0ba7f6fafc8072260e002ed7080ad6b
                • Instruction Fuzzy Hash: F231CFB5A10219EFCB10DF68DD40A9A7BA8FF48314B11416AF908AB242E730ED91CBD0
                Function 00409340 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • _close.MSVCRT ref: 00409376
                • SetStdHandle.KERNEL32(000000F4,000000FF), ref: 00409383
                  • Part of subcall function 0040B2D0: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000FFF,00000003,?,?,00409361,00000003,?,00000003,?,0040963D), ref: 0040B31F
                • _close.MSVCRT ref: 00409394
                • SetStdHandle.KERNEL32(000000F5,000000FF), ref: 004093A1
                • _close.MSVCRT ref: 004093B2
                • SetStdHandle.KERNEL32(000000F6,000000FF), ref: 004093BF
                • CloseHandle.KERNEL32(?,?,00000003,?,0040963D,00000000,-00000058,00000000,?,?,?,?,00000060), ref: 004093E7
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: Handle$_close$CloseFileWrite
                • String ID:
                • API String ID: 1510869235-0
                • Opcode ID: c742f5363e677c1983f24ee12d1eeb4b77565f7eeaabb40d1b224d7a704b55bb
                • Instruction ID: 3e9a8869303e23c87e3bcfb78bfe4492e94e13d21de3461e32a59b7d14b24431
                • Opcode Fuzzy Hash: c742f5363e677c1983f24ee12d1eeb4b77565f7eeaabb40d1b224d7a704b55bb
                • Instruction Fuzzy Hash: 4811B230108610DFEA204FA9ED88B1737A4AB05335F244735F936F62E2C678DC418F59
                Function 00407EF0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 193COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: modf$_ftol
                • String ID: N
                • API String ID: 891573039-1130791706
                • Opcode ID: 2928a30efa355423a129806178a666fa68242c438fd32012e58ee308a4a0ea74
                • Instruction ID: c9abfc0432f47dd2bf1326b3e280feee5fa4e6215a30057cce0fd390e68c3a15
                • Opcode Fuzzy Hash: 2928a30efa355423a129806178a666fa68242c438fd32012e58ee308a4a0ea74
                • Instruction Fuzzy Hash: 3D61D57190050EDBCB019F58EAC069EBB74FB45344F2242BADCC477291DB35496ACB9A
                Function 0041D3ED Relevance: 10.7, APIs: 7, Instructions: 166COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free$_malloc$_memcpy_s_memmove
                • String ID:
                • API String ID: 440554447-0
                • Opcode ID: 51c8ac6f92f4be5faee1d5d07fbe48ff5d0da5836b3332e291221da27d0bc875
                • Instruction ID: 5e76ceb5960b7d1df1c4eaa0ae7d161314929d9d0086bb10ee30ada97517b99a
                • Opcode Fuzzy Hash: 51c8ac6f92f4be5faee1d5d07fbe48ff5d0da5836b3332e291221da27d0bc875
                • Instruction Fuzzy Hash: E75182B2D00218BFDB10DBA5CC85EDE77BCEB08314F544166FA05E7241E638EA958B69
                Function 00907D53 Relevance: 10.6, APIs: 7, Instructions: 130COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 00907D62
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _memset.LIBCMT ref: 00907D70
                • _memmove.LIBCMT ref: 00907D8F
                • _memmove.LIBCMT ref: 00907DA1
                • _memset.LIBCMT ref: 00907DEF
                • _memset.LIBCMT ref: 00907E67
                • _memset.LIBCMT ref: 00907E71
                  • Part of subcall function 00909B4C: _wcsncpy.LIBCMT ref: 00909B7E
                  • Part of subcall function 00909B4C: _wcsncpy.LIBCMT ref: 00909B9B
                  • Part of subcall function 00909B4C: _memmove.LIBCMT ref: 00909BB5
                  • Part of subcall function 00909B4C: _wcsncpy.LIBCMT ref: 00909BD2
                  • Part of subcall function 00909B4C: _wcsncpy.LIBCMT ref: 00909BEC
                  • Part of subcall function 00909B4C: _wcsncpy.LIBCMT ref: 00909C06
                  • Part of subcall function 00909B4C: _wcscpy.LIBCMT ref: 00909C1E
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _wcsncpy$_memset$_memmove$AllocateHeap_malloc_wcscpy
                • String ID:
                • API String ID: 3181563560-0
                • Opcode ID: 3f092fb2c40b5bf23f39bb0734e0ccef99ae9f70183d9647f84e0d2a532603b9
                • Instruction ID: 688722092b8ebfb9119a74641d15077409d7567c184c23643cd5bfecbc759f52
                • Opcode Fuzzy Hash: 3f092fb2c40b5bf23f39bb0734e0ccef99ae9f70183d9647f84e0d2a532603b9
                • Instruction Fuzzy Hash: FF41C771A04208BFDB21DFA5CC85F9EB7ACEF45360F144495F9099B282D675FE408BA0
                Function 0041D1E4 Relevance: 10.6, APIs: 7, Instructions: 130COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 0041D1F3
                  • Part of subcall function 00424C51: __FF_MSGBANNER.LIBCMT ref: 00424C68
                  • Part of subcall function 00424C51: __NMSG_WRITE.LIBCMT ref: 00424C6F
                • _memset.LIBCMT ref: 0041D201
                • _memmove.LIBCMT ref: 0041D220
                • _memmove.LIBCMT ref: 0041D232
                • _memset.LIBCMT ref: 0041D280
                • _memset.LIBCMT ref: 0041D2F8
                • _memset.LIBCMT ref: 0041D302
                  • Part of subcall function 0041EFDD: _wcsncpy.LIBCMT ref: 0041F00F
                  • Part of subcall function 0041EFDD: _wcsncpy.LIBCMT ref: 0041F02C
                  • Part of subcall function 0041EFDD: _memmove.LIBCMT ref: 0041F046
                  • Part of subcall function 0041EFDD: _wcsncpy.LIBCMT ref: 0041F063
                  • Part of subcall function 0041EFDD: _wcsncpy.LIBCMT ref: 0041F07D
                  • Part of subcall function 0041EFDD: _wcsncpy.LIBCMT ref: 0041F097
                  • Part of subcall function 0041EFDD: _wcscpy.LIBCMT ref: 0041F0AF
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _wcsncpy$_memset$_memmove$_malloc_wcscpy
                • String ID:
                • API String ID: 4227099964-0
                • Opcode ID: 68dff863b114ebd9f7b42138fba8ea38291efdf0ac9fe73a3f869149471d2349
                • Instruction ID: 636f501113eca11ab1a1313d478204de033a2dd2c2270d75a7c4a9c53c86974e
                • Opcode Fuzzy Hash: 68dff863b114ebd9f7b42138fba8ea38291efdf0ac9fe73a3f869149471d2349
                • Instruction Fuzzy Hash: 7641D6B1A00214BFDB109F5ACC85FAB77A8EF44310F54449BFD199B242D638ED80CB68
                Function 00906390 Relevance: 10.6, APIs: 7, Instructions: 121libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 0090639E
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _memset.LIBCMT ref: 009063B4
                • GetProcAddress.KERNEL32(?,00000002), ref: 009063FB
                • GetProcAddress.KERNEL32(00000000,00000003), ref: 00906404
                • GetProcAddress.KERNEL32(00000000,00000005), ref: 0090640D
                • GetProcAddress.KERNEL32(00000000,00000004), ref: 00906416
                • _free.LIBCMT ref: 00906472
                  • Part of subcall function 0090F788: HeapFree.KERNEL32(00000000,00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?), ref: 0090F79C
                  • Part of subcall function 0090F788: GetLastError.KERNEL32(00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?,?), ref: 0090F7AE
                  • Part of subcall function 0090381F: htonl.WS2_32(?), ref: 00903825
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$Heap$AllocateErrorFreeLast_free_malloc_memsethtonl
                • String ID:
                • API String ID: 790098654-0
                • Opcode ID: ef5f630fdfa50a179f8c4bf3b64f6ef52608de66a32a78e52bfd2e934f790555
                • Instruction ID: d142aba7e86e463b6c746a8a2fa32d17563384ed978c5d11e91bf59108e55370
                • Opcode Fuzzy Hash: ef5f630fdfa50a179f8c4bf3b64f6ef52608de66a32a78e52bfd2e934f790555
                • Instruction Fuzzy Hash: 2B41AA71A00606EFDB209F64D841B1ABBBAFF40720F108529EA04676E1DB75AD70DF90
                Function 004065F0 Relevance: 10.6, APIs: 7, Instructions: 93networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000001,00000000,00000000,?,?,?,01C9C380,00000000,00401682,?), ref: 0040661B
                • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,004117F8,00000001,?,00000000), ref: 00406636
                • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,004117F8,00000001,?,00000000), ref: 00406640
                • SetHandleInformation.KERNEL32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,004117F8,00000001,?,00000000), ref: 0040665C
                • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,004117F8,00000001,?,00000000), ref: 00406664
                • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000002), ref: 0040667C
                • closesocket.WSOCK32(?,?,?,?,?,?,?,?,?,?,004117F8,00000001,?,00000000), ref: 0040668C
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorHandleLast$CurrentDuplicateInformationProcessclosesocketsocket
                • String ID:
                • API String ID: 3376228477-0
                • Opcode ID: 2e28e6d1a58ea0a1196af54c03e98cebdb2b8dbc8325536359525752a2727246
                • Instruction ID: dc9d384bd9aef652eac403ddbbeb49409b88bc3a846a97a3ccc30e8094f320cf
                • Opcode Fuzzy Hash: 2e28e6d1a58ea0a1196af54c03e98cebdb2b8dbc8325536359525752a2727246
                • Instruction Fuzzy Hash: 49314DB5600204AFD710DF64DC85E67B7A9FF48324F21862AF945AB281C736EC50CBA8
                Function 0090659C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMON
                Download Yara Rule
                APIs
                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 009065C8
                • _wcschr.LIBCMT ref: 009065E0
                • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 009065FE
                • GetComputerNameW.KERNEL32(?,?), ref: 0090660F
                • __snprintf_s.LIBCMT ref: 00906639
                  • Part of subcall function 00912C53: __vsnwprintf_s_l.LIBCMT ref: 00912C68
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ComputerDirectoryInformationNameSystemVolume__snprintf_s__vsnwprintf_s_l_wcschr
                • String ID: %04x-%04x:%s
                • API String ID: 3116242082-4041933335
                • Opcode ID: b2f58a19088233c5dfb9adcd0df3ed315f4e2f642d328163fddd80b27abf3a82
                • Instruction ID: 1e4e3f003def21808ba675819d00015b316d2c2a2eeddeaa7cb869d8e2b9de3a
                • Opcode Fuzzy Hash: b2f58a19088233c5dfb9adcd0df3ed315f4e2f642d328163fddd80b27abf3a82
                • Instruction Fuzzy Hash: 221175B290411C7EDB20EB61DC8ADEF77BCEB95710F0044AAF604D2181E6709F958BB0
                Function 009028C1 Relevance: 10.6, APIs: 7, Instructions: 72sleepthreadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00906862: CreateRemoteThread.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000), ref: 00906888
                  • Part of subcall function 00906862: GetLastError.KERNEL32(?,?,009028E3,?,00100000,00000000,?,00000004,00000000,00000000,00000000,?,?,?,00901DFF), ref: 00906891
                  • Part of subcall function 00906862: GetModuleHandleA.KERNEL32(ntdll,RtlCreateUserThread,?,?,009028E3,?,00100000,00000000,?,00000004,00000000,00000000,00000000), ref: 009068BA
                  • Part of subcall function 00906862: GetProcAddress.KERNEL32(00000000), ref: 009068C1
                  • Part of subcall function 00906862: SetLastError.KERNEL32(00000000,?,?,009028E3,?,00100000,00000000,?,00000004,00000000,00000000,00000000,?,?,?,00901DFF), ref: 009068F8
                  • Part of subcall function 00906862: GetThreadId.KERNEL32(00000000,?,?,009028E3,?,00100000,00000000,?,00000004,00000000,00000000,00000000,?,?,?,00901DFF), ref: 00906909
                • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00902919
                • Sleep.KERNEL32(000007D0,?,?,?,?,?,?,00000000,00000000,?,00000000,?,?), ref: 00902955
                • ResumeThread.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 0090295C
                • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,00000000,?,?), ref: 00902967
                • CloseHandle.KERNEL32(00000000), ref: 00902974
                • SetLastError.KERNEL32(00000000), ref: 0090297B
                • GetLastError.KERNEL32(00000000), ref: 00902989
                  • Part of subcall function 00902993: _memset.LIBCMT ref: 009029AC
                  • Part of subcall function 00902993: GetVersionExW.KERNEL32(00000114,?,?,00000000), ref: 009029C5
                  • Part of subcall function 00902993: GetLastError.KERNEL32(?,?,00000000), ref: 009029CF
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$Thread$Handle$AddressCloseCreateModuleProcRemoteResumeSleepVersion_memset
                • String ID:
                • API String ID: 1341253150-0
                • Opcode ID: 35011f4804446504d60c843d6f0dc4ec936ad76e37d0caeacde87a4c913a7dd6
                • Instruction ID: e8625258fa4e0aab77b44a257b208dc9d6d8e1f37ea9b4389872299e0aabc774
                • Opcode Fuzzy Hash: 35011f4804446504d60c843d6f0dc4ec936ad76e37d0caeacde87a4c913a7dd6
                • Instruction Fuzzy Hash: 37219F31800119FFCF225F90DD09AAE7F79EF54BA1F104155FD28A2190D7318AA2EB91
                Function 00909B4C Relevance: 10.6, APIs: 7, Instructions: 70COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _wcsncpy$_memmove_wcscpy
                • String ID:
                • API String ID: 2086914641-0
                • Opcode ID: e562fbe623909a4c0a364d380150625a5a63f802e6031f5ce03cc012f70aa93c
                • Instruction ID: 557dd35dff86709de3d6100880f87d8570bef71ca1bcec9d00d62d880580bbf6
                • Opcode Fuzzy Hash: e562fbe623909a4c0a364d380150625a5a63f802e6031f5ce03cc012f70aa93c
                • Instruction Fuzzy Hash: C321AFB1A00B0ABFDB219F64D805F82B3E8FB48314F048529E64E53592E776F1A5CB84
                Function 0041EFDD Relevance: 10.6, APIs: 7, Instructions: 70COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _wcsncpy$_memmove_wcscpy
                • String ID:
                • API String ID: 2086914641-0
                • Opcode ID: e562fbe623909a4c0a364d380150625a5a63f802e6031f5ce03cc012f70aa93c
                • Instruction ID: f877a302b3376b26fcf9b12d5f3d47fec5ac5da6d2e213721160d1e7df23e553
                • Opcode Fuzzy Hash: e562fbe623909a4c0a364d380150625a5a63f802e6031f5ce03cc012f70aa93c
                • Instruction Fuzzy Hash: 8E21B571600B09BBCB219F64D805B82B7E8FF0C308F04452AE64D57641E379F4AACB88
                Function 009036DF Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 009036F8
                • _memset.LIBCMT ref: 00903725
                • _free.LIBCMT ref: 0090372C
                • _free.LIBCMT ref: 00903735
                • _free.LIBCMT ref: 00903700
                  • Part of subcall function 0090F788: HeapFree.KERNEL32(00000000,00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?), ref: 0090F79C
                  • Part of subcall function 0090F788: GetLastError.KERNEL32(00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?,?), ref: 0090F7AE
                • _memset.LIBCMT ref: 00903759
                • _free.LIBCMT ref: 0090375F
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free$_memset$ErrorFreeHeapLast
                • String ID:
                • API String ID: 622543930-0
                • Opcode ID: ca33c4156e3224decfb93cd0e3effd4b786cdfaa88e0b5e7f1845dc72d96bc6a
                • Instruction ID: abf60919c97b4dabeb1c19309442cfd310e6885f8eb50b11914171a66775a57f
                • Opcode Fuzzy Hash: ca33c4156e3224decfb93cd0e3effd4b786cdfaa88e0b5e7f1845dc72d96bc6a
                • Instruction Fuzzy Hash: F701B5B3440600BFDA323755CC02F9AB7BDFF89714F100529F248249F1DB62BAA1D686
                Function 00418B70 Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free$_memset
                • String ID:
                • API String ID: 4237643672-0
                • Opcode ID: 08027d0b98835064e98808e43c93d48a295b872c5aaaace466faf47fd50cab86
                • Instruction ID: 57a2446c6156e8c87622a094376fb5ecd6ed4773a1d82c305e362b4c8020f082
                • Opcode Fuzzy Hash: 08027d0b98835064e98808e43c93d48a295b872c5aaaace466faf47fd50cab86
                • Instruction Fuzzy Hash: DC01D272505A10BBDA263B1ADC02F9777A1EF44318F14021FF149255B2EB7A78E0D68E
                Function 009159BB Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __init_pointers.LIBCMT ref: 009159BB
                  • Part of subcall function 00913E52: EncodePointer.KERNEL32(00000000,00000001,009159C0,009138C1,009254B0,00000008,00913A87,?,00000001,?,009254D0,0000000C,00913A26,?,00000001,?), ref: 00913E55
                  • Part of subcall function 00913E52: __initp_misc_winsig.LIBCMT ref: 00913E70
                  • Part of subcall function 00913E52: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0091899C
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 009189B0
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 009189C3
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 009189D6
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 009189E9
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 009189FC
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00918A0F
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00918A22
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00918A35
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00918A48
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00918A5B
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00918A6E
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00918A81
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00918A94
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00918AA7
                  • Part of subcall function 00913E52: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00918ABA
                • __mtinitlocks.LIBCMT ref: 009159C0
                • __mtterm.LIBCMT ref: 009159C9
                  • Part of subcall function 00915A31: DeleteCriticalSection.KERNEL32(?,?,?,?,0091398C,00913972,009254B0,00000008,00913A87,?,00000001,?,009254D0,0000000C,00913A26,?), ref: 00918FBF
                  • Part of subcall function 00915A31: _free.LIBCMT ref: 00918FC6
                  • Part of subcall function 00915A31: DeleteCriticalSection.KERNEL32(0092A2B0,?,?,0091398C,00913972,009254B0,00000008,00913A87,?,00000001,?,009254D0,0000000C,00913A26,?,00000001), ref: 00918FE8
                • __calloc_crt.LIBCMT ref: 009159EE
                • __initptd.LIBCMT ref: 00915A10
                • GetCurrentThreadId.KERNEL32 ref: 00915A17
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                • String ID:
                • API String ID: 3567560977-0
                • Opcode ID: e219199abb4d1127c7d9bb700123a675f4f938263e769cdf1e73b9e7303e85ce
                • Instruction ID: 7cfff68d8ec9bdb6c6bf49e73eb951074cddb9c4225b6c8f00cbb63e0b9f577e
                • Opcode Fuzzy Hash: e219199abb4d1127c7d9bb700123a675f4f938263e769cdf1e73b9e7303e85ce
                • Instruction Fuzzy Hash: C1F090327ADB1ADAE774B7747C037DA2698DFC1734B23062AF064D40D6EF1198C1A291
                Function 009145F0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _ValidateScopeTableHandlers.LIBCMT ref: 00914700
                • __FindPESection.LIBCMT ref: 0091471A
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: FindHandlersScopeSectionTableValidate
                • String ID:
                • API String ID: 876702719-0
                • Opcode ID: 9c900ef0b676ab5995470dcd80fe55a24d36f3f4c9e7b14e270d9417f54a647b
                • Instruction ID: 6d19bb6f8ac87e31908989cfe0a36df3cff3ce8d456186038a289db307398d6c
                • Opcode Fuzzy Hash: 9c900ef0b676ab5995470dcd80fe55a24d36f3f4c9e7b14e270d9417f54a647b
                • Instruction Fuzzy Hash: BBA1BEB5B0461E8FCF20CF28D981BEDB7A9FB49364F154669D805A7291E731EC81CB90
                Function 0090AC5D Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 7d74390e3d3b14ebc962818e78149bba2cfd138009d6634f9452e01d8c2e597f
                • Instruction ID: e0b7089cb569af6aeb41e5b3af4042041b75e38270a7d26637303c269fafbb18
                • Opcode Fuzzy Hash: 7d74390e3d3b14ebc962818e78149bba2cfd138009d6634f9452e01d8c2e597f
                • Instruction Fuzzy Hash: 5E415C75100B01AFD7219F25CD81EA6BBF9FF08710F448A2DE99A86EA1D731F950DB80
                Function 004200EE Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 7d74390e3d3b14ebc962818e78149bba2cfd138009d6634f9452e01d8c2e597f
                • Instruction ID: d600bd3329e50692954a5d266d6f4210754d083f4bfd177cefe2697f8e92d5bf
                • Opcode Fuzzy Hash: 7d74390e3d3b14ebc962818e78149bba2cfd138009d6634f9452e01d8c2e597f
                • Instruction Fuzzy Hash: FA419B71200B11EFD7219F26CC85A62BBF4FF08314F44462EF99A86A61D735F860CB94
                Function 00903896 Relevance: 9.1, APIs: 6, Instructions: 79COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memmovehtonl$_free_malloc
                • String ID:
                • API String ID: 2068101931-0
                • Opcode ID: 734c69c345650d6cf8e9c27449f28882ab7c495db891c83fc642a780e7551e79
                • Instruction ID: 47c0a77d213464d8b290afed9210ddc66e366bc3601275e7b35f0e2ae6e19e5f
                • Opcode Fuzzy Hash: 734c69c345650d6cf8e9c27449f28882ab7c495db891c83fc642a780e7551e79
                • Instruction Fuzzy Hash: BC216AB6D00219EFCF209F99CC45A9ABBBCEF94710B1484A9FD19A3341D671AB118B90
                Function 00903982 Relevance: 9.1, APIs: 6, Instructions: 71COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _malloc
                • String ID:
                • API String ID: 1579825452-0
                • Opcode ID: abc189348f51d54edcda0c83f89f6346cfa686714257bd32e163bb885ae2e746
                • Instruction ID: 053ddf693833f834a830bfabea5d27745a7f3764148dc2ba703380da4fdc524e
                • Opcode Fuzzy Hash: abc189348f51d54edcda0c83f89f6346cfa686714257bd32e163bb885ae2e746
                • Instruction Fuzzy Hash: 17219F7661020AFFCB10DF69DD40A9ABBA9FF48310B108116F90897A51D370EA61DFD0
                Function 0042AE4C Relevance: 9.0, APIs: 6, Instructions: 45COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __init_pointers.LIBCMT ref: 0042AE4C
                  • Part of subcall function 004292E3: __initp_misc_winsig.LIBCMT ref: 00429301
                • __mtinitlocks.LIBCMT ref: 0042AE51
                • __mtterm.LIBCMT ref: 0042AE5A
                  • Part of subcall function 0042AEC2: _free.LIBCMT ref: 0042E457
                • __calloc_crt.LIBCMT ref: 0042AE7F
                • __initptd.LIBCMT ref: 0042AEA1
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: __calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                • String ID:
                • API String ID: 206718379-0
                • Opcode ID: cdbd6e9a45f981a708feef8c797b3e46368fb1566bb811768e41a06a7cb1253b
                • Instruction ID: c1689d5921014a596bf9b4f68b6c9c2f6a5a381bb6b9189e5826b63fddc4d2df
                • Opcode Fuzzy Hash: cdbd6e9a45f981a708feef8c797b3e46368fb1566bb811768e41a06a7cb1253b
                • Instruction Fuzzy Hash: 96F04632B687321AE330B7363C0264B3784DF01739BA10A2FF810C40D5EF298813815D
                Function 00401EA0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00406A00: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,004117F8,00000001,?,00000000), ref: 00406A0B
                  • Part of subcall function 00406A00: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00406A24
                • printf.MSVCRT ref: 0040201A
                • printf.MSVCRT ref: 00402042
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: Timeprintf$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
                • String ID: Send request failed!$Send request timed out!$IK
                • API String ID: 3625036506-1697100645
                • Opcode ID: b0f1131090ecd044fda43dccf57fcf9e4ce7fa314739ecb5eba9c37367f7e442
                • Instruction ID: 5a09e55ef2964bfb7fc5c9c638dc11f00a602c892d8723c58b1520b25b264a0e
                • Opcode Fuzzy Hash: b0f1131090ecd044fda43dccf57fcf9e4ce7fa314739ecb5eba9c37367f7e442
                • Instruction Fuzzy Hash: 82419374A01306CFC724CFA9D98466AB7E4FB88304F14853FE849E73A1D778A844CB99
                Function 0041F3D4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 111COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memset$_free
                • String ID: <
                • API String ID: 2449463427-4251816714
                • Opcode ID: a1647a172fc0d61ca30c5d2d1cbc59af2fa76d631a27f41aab8862765ebeda77
                • Instruction ID: eb0d29ec4d89440cdd4401492b6b5c175d6231562817e65ca3da83fddae0587f
                • Opcode Fuzzy Hash: a1647a172fc0d61ca30c5d2d1cbc59af2fa76d631a27f41aab8862765ebeda77
                • Instruction Fuzzy Hash: 25418071900614FBDB31AF62DC45E9BBBF9FB88700F10452EF549A2161DB34A685CB68
                Function 0041E301 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
                Download Yara Rule
                APIs
                • _mbstowcs_s.LIBCMT ref: 0041E335
                  • Part of subcall function 00425CF8: __wcstombs_s_l.LIBCMT ref: 00425D0C
                  • Part of subcall function 0041A509: __aulldiv.LIBCMT ref: 0041A541
                • _strncmp.LIBCMT ref: 0041E350
                • _strrchr.LIBCMT ref: 0041E377
                • _strrchr.LIBCMT ref: 0041E38F
                  • Part of subcall function 00428C97: __wcstoi64.LIBCMT ref: 00428CA1
                  • Part of subcall function 0041DC43: _memset.LIBCMT ref: 0041DC6A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _strrchr$__aulldiv__wcstoi64__wcstombs_s_l_mbstowcs_s_memset_strncmp
                • String ID: 6
                • API String ID: 3857070537-498629140
                • Opcode ID: 8becdbd01b5ace92cb14502d38dc3ef19ed2eea95c55b0d0a759a76391953bd5
                • Instruction ID: 559a842ffb960948320974d4e2f0b3df06d3f77ef6204a28549218543119b6c4
                • Opcode Fuzzy Hash: 8becdbd01b5ace92cb14502d38dc3ef19ed2eea95c55b0d0a759a76391953bd5
                • Instruction Fuzzy Hash: D63148769043147BDB22BB66DC4AFEBB7ACAF00304F50405FFE4597142EB7AA5808759
                Function 0041EB86 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memset$_free
                • String ID: <
                • API String ID: 2449463427-4251816714
                • Opcode ID: 5f34090a62f44b0ed15985bfa0073d9fbccc17480b25ead4607aa09b213b4cad
                • Instruction ID: 330bdd6471e12e7df2641c8de6b63e8a3e4dd88e0b67e8a4338a92e375286f05
                • Opcode Fuzzy Hash: 5f34090a62f44b0ed15985bfa0073d9fbccc17480b25ead4607aa09b213b4cad
                • Instruction Fuzzy Hash: 3D314DB5905224BBDB25AF62DC889DABBBCFF08310F50416BF909E2150DB349694CFE4
                Function 00401E40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: exitfprintfprintf
                • String ID: %s: %s (%d)$Total of %d requests completed
                • API String ID: 330722453-2862413500
                • Opcode ID: 0b9d6918dea9549a65a293f2818eb40f3735dd0a110e9782c897c17d61d60ecd
                • Instruction ID: a2b9a199539fa9781624760681d999f73aac127a2c402d5d7ad429bc7f0ab849
                • Opcode Fuzzy Hash: 0b9d6918dea9549a65a293f2818eb40f3735dd0a110e9782c897c17d61d60ecd
                • Instruction Fuzzy Hash: 03F0A075581214FBD300BB64DD85DEB372CAB09702B108235FC05B7282DA78A909CBFD
                Function 00429A81 Relevance: 7.8, APIs: 5, Instructions: 276COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _ValidateScopeTableHandlers.LIBCMT ref: 00429B91
                • __FindPESection.LIBCMT ref: 00429BAB
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: FindHandlersScopeSectionTableValidate
                • String ID:
                • API String ID: 876702719-0
                • Opcode ID: cef0f56cf3b81308b8aa43dbd2503f1bb096d62348bdeff09c3d73f5db524aea
                • Instruction ID: 791cdffcbf3ad767869b47a6116ce58dcf1a24ba2fd03b53a223a9206555cc67
                • Opcode Fuzzy Hash: cef0f56cf3b81308b8aa43dbd2503f1bb096d62348bdeff09c3d73f5db524aea
                • Instruction Fuzzy Hash: 87A1D271B006398FDB15CF59E981BAAB7B4FF44310FA8456AD805AB350E739EC41CB98
                Function 00409400 Relevance: 7.8, APIs: 5, Instructions: 254fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,?,00000003,00000000,00000FFC,00000000,00000000,?), ref: 00409536
                • CreateFileA.KERNEL32(?,?,00000003,00000000,00000FFC,00000000,00000000,?,?,?,?,00404755,?,?,00000001,00000FFF), ref: 00409550
                • GetLastError.KERNEL32(?,?,?,00404755,?,?,00000001,00000FFF,?), ref: 00409567
                • GetLastError.KERNEL32(?,?,?,00404755,?,?,00000001,00000FFF,?), ref: 00409571
                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,?,?,00000060,?,?,?,00404755,?,?,00000001,00000FFF), ref: 004095E9
                  • Part of subcall function 004096C0: GetFileInformationByHandle.KERNEL32(?,?,00000003,?,?,00000060,?,?,?,00404755,?,?,00000001,00000FFF,?), ref: 004096D9
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: File$CreateErrorLast$HandleInformationPointer
                • String ID:
                • API String ID: 3824182389-0
                • Opcode ID: f7a41ea62d507c1e1c7f78ffd9900ee0c9d6d4848790e352b696cb55ea98cb50
                • Instruction ID: ac720ec0b51c304cca149fc18e87b58ae87a6e9f68248ad66f4ca5a1643f0eb7
                • Opcode Fuzzy Hash: f7a41ea62d507c1e1c7f78ffd9900ee0c9d6d4848790e352b696cb55ea98cb50
                • Instruction Fuzzy Hash: 6A81F2716002049BE724DF59C881FA7B7A5EF94314F24853EEA84AB3D2D77ADC41CB98
                Function 0041CD2C Relevance: 7.7, APIs: 5, Instructions: 249COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0041CD54
                • _memset.LIBCMT ref: 0041CD68
                • __time64.LIBCMT ref: 0041CD76
                  • Part of subcall function 00426578: __aulldiv.LIBCMT ref: 004265A1
                  • Part of subcall function 0041F662: _malloc.LIBCMT ref: 0041F66B
                  • Part of subcall function 0041F662: _memset.LIBCMT ref: 0041F681
                  • Part of subcall function 0041B5CB: _calloc.LIBCMT ref: 0041B5D0
                • _malloc.LIBCMT ref: 0041CE30
                • _memcpy_s.LIBCMT ref: 0041CE3C
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memset$_malloc$__aulldiv__time64_calloc_memcpy_s
                • String ID:
                • API String ID: 3504761939-0
                • Opcode ID: 4b30d112c678ca326b4e62edb6854652631e92b506e9f67a16d46ea3841c00f3
                • Instruction ID: 55ee243a220fd216c8cae1bb22e36ea64fac0bace50072204a4884c5285c3278
                • Opcode Fuzzy Hash: 4b30d112c678ca326b4e62edb6854652631e92b506e9f67a16d46ea3841c00f3
                • Instruction Fuzzy Hash: 058180B1A40616AFD714EF61DD85AEAB7A8FF08314F10411FF509D7681DB38E891CB98
                Function 00407707 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 242stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: strchr
                • String ID: $(null)$0
                • API String ID: 2830005266-346035378
                • Opcode ID: a5d248de21f3a564d4578d1f52796f989e45dd86516ed0d883ecd24cd3f6536f
                • Instruction ID: 62280713d0aae595eb025e39eadc447a68a4b14b0fdbbcc23135ccd4917e52bd
                • Opcode Fuzzy Hash: a5d248de21f3a564d4578d1f52796f989e45dd86516ed0d883ecd24cd3f6536f
                • Instruction Fuzzy Hash: 14911C74E081499BDF14CF68C580AAEBBF1AF59344F1480AAD855F7381D778BE01CB66
                Function 0041E92E Relevance: 7.7, APIs: 5, Instructions: 234COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 83164947a91e4d0a6e891a5122b9afb634a1475ab76259eed96e29eebd1bb9ea
                • Instruction ID: e81c463416bb8eac41b49de167bacabc112b250da980adcb1cc846970b92700e
                • Opcode Fuzzy Hash: 83164947a91e4d0a6e891a5122b9afb634a1475ab76259eed96e29eebd1bb9ea
                • Instruction Fuzzy Hash: 07715F75E00209AFDB14DFA6DC85BEE77B8FF04314F14406AF915E6241EB78EA908B64
                Function 0041DF34 Relevance: 7.7, APIs: 5, Instructions: 210COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free_malloc_memcmp_memcpy_s_memmove
                • String ID:
                • API String ID: 1750545951-0
                • Opcode ID: 406d4700f2b7f03e43a03702f00a071133a2e8ee651cedf69029468eae0784fd
                • Instruction ID: 2a9ffabaeb8b77c76a1b070b85005058a133582a28abfba4abbefb143efd166d
                • Opcode Fuzzy Hash: 406d4700f2b7f03e43a03702f00a071133a2e8ee651cedf69029468eae0784fd
                • Instruction Fuzzy Hash: D861E876E00219BBDB109BAACC85FDE7BA9EF08314F140066FD04E7251DA78D9858B98
                Function 00419528 Relevance: 7.7, APIs: 5, Instructions: 155COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00419543
                • _malloc.LIBCMT ref: 004195FA
                  • Part of subcall function 00424C51: __FF_MSGBANNER.LIBCMT ref: 00424C68
                  • Part of subcall function 00424C51: __NMSG_WRITE.LIBCMT ref: 00424C6F
                • _malloc.LIBCMT ref: 00419622
                  • Part of subcall function 00419E4A: _malloc.LIBCMT ref: 00419E4D
                • _free.LIBCMT ref: 0041969D
                • _free.LIBCMT ref: 004196A7
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _malloc$_free$_memset
                • String ID:
                • API String ID: 1226919063-0
                • Opcode ID: 9a53cee6b6654b75042185b1e1e1e14ae9e5ca6f7735beaefd3f4523b0214c71
                • Instruction ID: 68b3792e46c70fe14dd33ba2e6f7b3f4a3149360671d0d96c0d89a07e7a05c1c
                • Opcode Fuzzy Hash: 9a53cee6b6654b75042185b1e1e1e14ae9e5ca6f7735beaefd3f4523b0214c71
                • Instruction Fuzzy Hash: 56516B71A00215EFDF20CF68C890BAABBB1EF44314F24856AE818D7355D739DD90CBA8
                Function 00903462 Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free$_malloc_memset
                • String ID:
                • API String ID: 2102557794-0
                • Opcode ID: eb19ea0d235d7e9b8173ddc2eef9b840cacbd9fc6780c339d61cfe5f73e4d11b
                • Instruction ID: 3bd88c1f964f13fad0fe43d9fb322c240bff24d3071a9c19818f9ef2e111f373
                • Opcode Fuzzy Hash: eb19ea0d235d7e9b8173ddc2eef9b840cacbd9fc6780c339d61cfe5f73e4d11b
                • Instruction Fuzzy Hash: 9341B171A00209BFDF219FA0CC819BE7BBEEF45310B148429F90A561A1D736CF519B91
                Function 0041D80A Relevance: 7.6, APIs: 5, Instructions: 122COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _wcschr$__aulldiv__snprintf_s_calloc_wcsstr
                • String ID:
                • API String ID: 572502409-0
                • Opcode ID: 6f5bfc4f91480ed17a597eaa3757089316ebe7dcfe6c204af444727d92b619a0
                • Instruction ID: f2a453d7fd53b36316e3c36258a70f3ea3dbd8106f53d373415a9fc753fef013
                • Opcode Fuzzy Hash: 6f5bfc4f91480ed17a597eaa3757089316ebe7dcfe6c204af444727d92b619a0
                • Instruction Fuzzy Hash: 404116F1E00211FBDB20AF65DC46BDA7768EF14354F50416BFB08E6291EB399990C798
                Function 00408C70 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                Download Yara Rule
                APIs
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00408CFF
                • #21.WSOCK32(E8520041,0000FFFF,00001006,0040169A,00000004,00401686,00000000,000003E8,00000000,?,?,00000000,?,00401EDA,?,00000000), ref: 00408D1D
                • #21.WSOCK32(E8520041,0000FFFF,00001005,0040169A,00000004,?,?,00000000,?,00401EDA,?,00000000,00000000,00401686,00401682,00000000), ref: 00408D30
                  • Part of subcall function 00408C20: ioctlsocket.WSOCK32(C0335E5F,8004667E,00401682,00000000,?,00408F28,?,?,?,?,?,004117F8,00000001,?,00000000), ref: 00408C38
                  • Part of subcall function 00408C20: WSAGetLastError.WSOCK32(?,?,00408F28,?,?,?,?,?,004117F8,00000001,?,00000000,?,?,?,?), ref: 00408C4A
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastUnothrow_t@std@@@__ehfuncinfo$??2@ioctlsocket
                • String ID:
                • API String ID: 272762528-0
                • Opcode ID: 7f72bba78d5da85a8ba95dacef2e8f0183263f47da11a11dbdd0436ce6d3cf2a
                • Instruction ID: b431f02b21c252293e7429a2b27a3026506aa5e8d29479fecd65efa3c247a255
                • Opcode Fuzzy Hash: 7f72bba78d5da85a8ba95dacef2e8f0183263f47da11a11dbdd0436ce6d3cf2a
                • Instruction Fuzzy Hash: 4A3142762007056BE720DF55DE81E57B3E9BF98B14F104A3EEA89A77C1EA74F8008A54
                Function 009101E0 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 009101EC
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _free.LIBCMT ref: 009101FF
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap_free_malloc
                • String ID:
                • API String ID: 1020059152-0
                • Opcode ID: 836a4f2f68807028cd4ecd586b83904e57c02bf8c90deb41ce505ecc8286a4a4
                • Instruction ID: de01d2878f594b8dc2c219a8425963e6bdc3f14828853c88b2f15ec9ec21d8cd
                • Opcode Fuzzy Hash: 836a4f2f68807028cd4ecd586b83904e57c02bf8c90deb41ce505ecc8286a4a4
                • Instruction Fuzzy Hash: 7F112772B4821DAFCF302B70AC097E937A85FD0360B208C25F825A7051EBB589C19794
                Function 0040A4B0 Relevance: 7.6, APIs: 5, Instructions: 61synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,-00000001,?,?,00405756,?,00000000,00000000,00000001,?,?,00000000,?,?,00000000,00000001), ref: 0040A4C6
                • GetExitCodeProcess.KERNEL32(?,00000000), ref: 0040A4DB
                • CloseHandle.KERNEL32(?,?,00405756,?,00000000,00000000,00000001,?,?,00000000,?,?,00000000,00000001,?,?), ref: 0040A507
                • GetLastError.KERNEL32(?,00405756,?,00000000,00000000,00000001,?,?,00000000,?,?,00000000,00000001,?,?,?), ref: 0040A535
                • GetLastError.KERNEL32(?,00405756,?,00000000,00000000,00000001,?,?,00000000,?,?,00000000,00000001,?,?,?), ref: 0040A540
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$CloseCodeExitHandleObjectProcessSingleWait
                • String ID:
                • API String ID: 2245483553-0
                • Opcode ID: ce94e9386f8c0af04bd106d625d40b890bca012dc55d7e66457ec7a5520f5381
                • Instruction ID: 6ae1a3a82f63760db5dd5dced1964bf4e1ffa7e8a7d7da1633cc2b8e220f8f44
                • Opcode Fuzzy Hash: ce94e9386f8c0af04bd106d625d40b890bca012dc55d7e66457ec7a5520f5381
                • Instruction Fuzzy Hash: 00113372600219DBDB20DFA8F944AA777A8EB54754B004636FA05E7380E674E864CBA6
                Function 009045F4 Relevance: 7.6, APIs: 5, Instructions: 51memoryinjectionCOMMON
                Download Yara Rule
                APIs
                • WriteProcessMemory.KERNEL32(000000FF,00904599,?,00000005,?,?,?,009046FA,?,00000000,?,00904599,?,?), ref: 0090460C
                • VirtualQuery.KERNEL32(?,?,0000001C,?,?), ref: 00904627
                • VirtualProtect.KERNEL32(?,00000040,00000040,?,?,?), ref: 0090463F
                • VirtualProtect.KERNEL32(?,?,?,?,?,?), ref: 0090465C
                • FlushInstructionCache.KERNEL32(000000FF,?,?,?,?), ref: 00904666
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Virtual$Protect$CacheFlushInstructionMemoryProcessQueryWrite
                • String ID:
                • API String ID: 834688674-0
                • Opcode ID: 4fa9227ec40cecbf0ee0fa5d33ccab753aa23291283bd005b522bdf82fe6b9db
                • Instruction ID: 46e75455decdfad3454995cfb91cd0d2c0dcb0aad66a9765cb7756b96a15a2ab
                • Opcode Fuzzy Hash: 4fa9227ec40cecbf0ee0fa5d33ccab753aa23291283bd005b522bdf82fe6b9db
                • Instruction Fuzzy Hash: 4A11333690411EABCF118FA8CD04DEEBF79EF59220B044316F624A21A0D63099219B61
                Function 009050FA Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                Download Yara Rule
                APIs
                • __time64.LIBCMT ref: 00905108
                  • Part of subcall function 009110E7: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,009078EA,00000000,?,00000000,000000FF,?,00000000,000000FF,009254A0,00000214,00905723,?), ref: 009110F0
                  • Part of subcall function 009110E7: __aulldiv.LIBCMT ref: 00911110
                • _rand.LIBCMT ref: 00905121
                • _rand.LIBCMT ref: 00905135
                • _rand.LIBCMT ref: 00905142
                • _rand.LIBCMT ref: 0090514F
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _rand$Time$FileSystem__aulldiv__time64
                • String ID:
                • API String ID: 2467205089-0
                • Opcode ID: a4ab4c13837637097c54dce93924a8519d0cccebf145d0cf080ff40ae8fe1a76
                • Instruction ID: 95867c3009054fa18fabf48041af7e88b3f8e58c723c9cfcdf9ab1f3b976c3e9
                • Opcode Fuzzy Hash: a4ab4c13837637097c54dce93924a8519d0cccebf145d0cf080ff40ae8fe1a76
                • Instruction Fuzzy Hash: 6AF0E97731D74855C231A75755C37DD7EC94FC2331F14400CF259035D294E994DA8979
                Function 0041A58B Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _rand$__aulldiv__time64
                • String ID:
                • API String ID: 31558152-0
                • Opcode ID: cc0c955d7446f95248226ffa46e08f5108db8618a41b67b342804a00bc637fc0
                • Instruction ID: 2b724c764c59168ac50c0acb929da4290487dcb2fec3468383cf63b6ac0ab165
                • Opcode Fuzzy Hash: cc0c955d7446f95248226ffa46e08f5108db8618a41b67b342804a00bc637fc0
                • Instruction Fuzzy Hash: FEF024F710D76094C220A76A64C27553AC94F42335F24408FF09803281E87898E9C53D
                Function 0040A340 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                Download Yara Rule
                APIs
                • LeaveCriticalSection.KERNEL32(-0000000C,00000000,?,0040511A,00000000,?,00405F64), ref: 0040A352
                • SetEvent.KERNEL32(?,00000000,?,0040511A,00000000,?,00405F64), ref: 0040A368
                • GetLastError.KERNEL32(?,0040511A,00000000,?,00405F64), ref: 0040A389
                • GetLastError.KERNEL32(?,0040511A,00000000,?,00405F64), ref: 0040A38F
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$CriticalEventLeaveSection
                • String ID:
                • API String ID: 3480337489-0
                • Opcode ID: c38fbd374d23ef107c51dab52487fbbbbc1b4f0314f15fce748fca892ac654bd
                • Instruction ID: 456bd01fc1b439688783bd51cfc9944846aededd9d0b47765f81204111c76b01
                • Opcode Fuzzy Hash: c38fbd374d23ef107c51dab52487fbbbbc1b4f0314f15fce748fca892ac654bd
                • Instruction Fuzzy Hash: 07F08932610318D7C724A7F8DD4496F775CDB153543144537E909EA240D635DC51D799
                Function 00904792 Relevance: 7.5, APIs: 5, Instructions: 34memoryinjectionCOMMON
                Download Yara Rule
                APIs
                • VirtualQuery.KERNEL32(?,?,0000001C,?,?,00904874,?,00000000,?,?,00000000,?,?,?,?,0090440D), ref: 009047A1
                • VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00904874,?,00000000,?,?,00000000), ref: 009047B3
                • WriteProcessMemory.KERNEL32(000000FF,?,?,00000005,?,?,?,00904874,?,00000000,?,?,00000000), ref: 009047C7
                • VirtualProtect.KERNEL32(?,?,?,00000000,?,?,00904874,?,00000000,?,?,00000000), ref: 009047DA
                • FlushInstructionCache.KERNEL32(000000FF,?,?,?,?,00904874,?,00000000,?,?,00000000,?,?,?,?,0090440D), ref: 009047E8
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Virtual$Protect$CacheFlushInstructionMemoryProcessQueryWrite
                • String ID:
                • API String ID: 834688674-0
                • Opcode ID: 0a097af5b8471c0592e074760b0742e0df9f2c898f344f8194d9608653fd1ca0
                • Instruction ID: 6abd5e8722b8aa08528bc90734305542a9b6cc96d9d479bfd0d9698658e5f889
                • Opcode Fuzzy Hash: 0a097af5b8471c0592e074760b0742e0df9f2c898f344f8194d9608653fd1ca0
                • Instruction Fuzzy Hash: 7FF0667684810EBFDF119FD0DD0ADEEBB79FB08315F104250FB25A10A0D6329A72AB61
                Function 00421AF7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memset
                • String ID: PB
                • API String ID: 2102423945-4055908244
                • Opcode ID: 249d642e2b55b00b55f20902614e9a2256fbedb8135105af63d086fc5207b396
                • Instruction ID: 75a8093559ba32c742cbdb9d51a1eb09581b627c7379d3b9da83392a2495816d
                • Opcode Fuzzy Hash: 249d642e2b55b00b55f20902614e9a2256fbedb8135105af63d086fc5207b396
                • Instruction Fuzzy Hash: 1E417BB6B00624ABE7148F6EADC16AAB7B5FF96300FA5413FD005D3261F6399D868341
                Function 00405F20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69memoryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: Alloc
                • String ID: apr_initialize
                • API String ID: 2773662609-1647172449
                • Opcode ID: 487a2490f2de4cd5a202d8c99ca6990a9f8e240f5e0a9fa222b3d39207e783cf
                • Instruction ID: b4841333c2a22d781c381d96dd6ca0068e742df3b49b6d2cf86dcc4d7ae9010f
                • Opcode Fuzzy Hash: 487a2490f2de4cd5a202d8c99ca6990a9f8e240f5e0a9fa222b3d39207e783cf
                • Instruction Fuzzy Hash: 5E11B6B5A4020957DB50DBB1AD455BB33ADDB44308F1041BAFD08E7281F93CCD108BA9
                Function 00907E8A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48sleeppipeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0090A109: WaitForSingleObject.KERNEL32(?,000000FF,?,00904A00,00000001,00000000,?,009049E4,00000000,00000000,00906503,00000000,00000000,0090798B), ref: 0090A117
                • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00907EB3
                • GetLastError.KERNEL32 ref: 00907EC4
                • Sleep.KERNEL32(?), ref: 00907EE5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastNamedObjectPeekPipeSingleSleepWait
                • String ID:
                • API String ID: 52212926-3916222277
                • Opcode ID: a4430675cb58b3e882ab65d7f6d2cd773cfe7ea857342ab8c9c47d4cdb086c97
                • Instruction ID: 05d8e574f9a297326794ad37f40f9b9ba830d3cc85039fb72e47382e6465364e
                • Opcode Fuzzy Hash: a4430675cb58b3e882ab65d7f6d2cd773cfe7ea857342ab8c9c47d4cdb086c97
                • Instruction Fuzzy Hash: 6A01A236909114AFCB209F9AED48C5BFBBCEF8572171041A6FD08975B1D630AC619AA1
                Function 0041808C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 00418092
                  • Part of subcall function 00424C51: __FF_MSGBANNER.LIBCMT ref: 00424C68
                  • Part of subcall function 00424C51: __NMSG_WRITE.LIBCMT ref: 00424C6F
                • _memset.LIBCMT ref: 004180A6
                • _memset.LIBCMT ref: 004180DD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memset$_malloc
                • String ID: KtA
                • API String ID: 3506388080-3372644039
                • Opcode ID: 6c40d877e41d25a9b0c2e3db2f2b81d3c0d3d5052e85fe8644193127089b0fc4
                • Instruction ID: f0c0427f7b987493ba3c03ad20616a21e70860443d1fc55dd88d00c470547ebb
                • Opcode Fuzzy Hash: 6c40d877e41d25a9b0c2e3db2f2b81d3c0d3d5052e85fe8644193127089b0fc4
                • Instruction Fuzzy Hash: 510186716006157FD300EF2A9C81FA7BBA8EF45758B00402EFA1CD7602DF389995C7A9
                Function 0090729A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(advapi32.dll,?,009076CC,00000000,00000004,00000004,00000000,009077D9), ref: 009072B5
                • GetProcAddress.KERNEL32(00000000,AddMandatoryAce), ref: 009072C5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: AddMandatoryAce$advapi32.dll
                • API String ID: 2574300362-673174713
                • Opcode ID: 62c091ff34f73b0c6a1f0a9ca0cb93e3f60cf63625781a4ba6bc3b4b2a47a79c
                • Instruction ID: 0c44c3f8cbb35c6f7f086eae1469a8382552d7372e0225acfef7c9799c7a4d01
                • Opcode Fuzzy Hash: 62c091ff34f73b0c6a1f0a9ca0cb93e3f60cf63625781a4ba6bc3b4b2a47a79c
                • Instruction Fuzzy Hash: 9BF0A03265C208EFDF208FE4ED04B963BAEBB04740F408014B911919B0C331D972EF65
                Function 0090A322 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 11libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,009078E4,?,00000000,000000FF,?,00000000,000000FF,009254A0,00000214,00905723,?,00000001,?,?), ref: 0090A327
                • GetProcAddress.KERNEL32(00000000,SetThreadErrorMode), ref: 0090A333
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: SetThreadErrorMode$kernel32.dll
                • API String ID: 2574300362-2080226504
                • Opcode ID: 2fb4f006c647bebb703a2affb3439aa506c5491c76c3c9af71d410be63022681
                • Instruction ID: 359a30bb44208023bc723fab473e2f6491f449df314cdf1c74c6423a387c08e3
                • Opcode Fuzzy Hash: 2fb4f006c647bebb703a2affb3439aa506c5491c76c3c9af71d410be63022681
                • Instruction Fuzzy Hash: 01C04C707D93116AEA2017E17C4EF5535185BA0B46F104000B611D50E9DAA4A261D565
                Function 00405B70 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 155stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: strchr
                • String ID: %s: illegal option -- %c$%s: option requires an argument -- %c$L@A
                • API String ID: 2830005266-2383883331
                • Opcode ID: 68e61d586053f3f519a33f76ec617db903629e73843b58cfe012af560ca78f33
                • Instruction ID: 86489de3422707152579c998a1953a83942581348926bb9a2000340e45114fa6
                • Opcode Fuzzy Hash: 68e61d586053f3f519a33f76ec617db903629e73843b58cfe012af560ca78f33
                • Instruction Fuzzy Hash: CB515875204B858FD721CF28D480AA3BBF5FF49310B14896EE8D69B791D378E845CB64
                Function 004188F3 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free$_malloc_memset
                • String ID:
                • API String ID: 2102557794-0
                • Opcode ID: 70ab21c43072e11d056dbe03d97873b0270650d08316fce040445d50e31a6f00
                • Instruction ID: 59160f37acbf781dc340fae70617451023ea42fd3a7a02c2be4445abdd009a0a
                • Opcode Fuzzy Hash: 70ab21c43072e11d056dbe03d97873b0270650d08316fce040445d50e31a6f00
                • Instruction Fuzzy Hash: 7241B371A00209AFDF209F95DC818FF7BBAEF44354B14442FF90552611DB398DA1DB59
                Function 0041AC2F Relevance: 6.1, APIs: 4, Instructions: 139COMMON
                Download Yara Rule
                APIs
                • _calloc.LIBCMT ref: 0041AC53
                  • Part of subcall function 004254B2: __calloc_impl.LIBCMT ref: 004254C5
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: __calloc_impl_calloc
                • String ID:
                • API String ID: 2108883976-0
                • Opcode ID: 63335f8767379a98f6e4e66dc2f42b849940f5bbd9d2270db84c9e72d3553446
                • Instruction ID: 09a85ebd8d1187cb3f04d28adbd684b0d8f8e2011d82d7d2764465080dee9ef8
                • Opcode Fuzzy Hash: 63335f8767379a98f6e4e66dc2f42b849940f5bbd9d2270db84c9e72d3553446
                • Instruction Fuzzy Hash: CE41DDB5601219EFDB00DF69DD85EEB3BA9FF04311B14012AFC08D6251EB39D9A1CBA5
                Function 0040A5D0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: malloc$reallocwcslen
                • String ID:
                • API String ID: 2087320793-0
                • Opcode ID: a2f947ee24586d8d02409f3295417eea3e928b31774d6d1a6aa9f1146132840b
                • Instruction ID: 6b0556560ab20689db0b944b12a49dc93c23505709d06557d790d107311945c6
                • Opcode Fuzzy Hash: a2f947ee24586d8d02409f3295417eea3e928b31774d6d1a6aa9f1146132840b
                • Instruction Fuzzy Hash: 8D412875A0020AAFCB10CFADD984A9EBBB4FF48314F14857AE849E7340D6359A24CB95
                Function 004196DF Relevance: 6.1, APIs: 4, Instructions: 104COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 00419719
                  • Part of subcall function 00424C51: __FF_MSGBANNER.LIBCMT ref: 00424C68
                  • Part of subcall function 00424C51: __NMSG_WRITE.LIBCMT ref: 00424C6F
                • _free.LIBCMT ref: 004197ED
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free_malloc
                • String ID:
                • API String ID: 845055658-0
                • Opcode ID: bdb5ac8313096eef45708a5c76a35f592dec02f7d45160f183b051d05b214746
                • Instruction ID: a1dc47f0db914d44b6dfc9e4526f557c99de2f9f2f3f8ce2402ce9184df51795
                • Opcode Fuzzy Hash: bdb5ac8313096eef45708a5c76a35f592dec02f7d45160f183b051d05b214746
                • Instruction Fuzzy Hash: B331C8B5A10129EFDB00DF68DC9099ABBA8FF48354B21415BF809A7352D734ED91CBD4
                Function 0040A0E0 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                Download Yara Rule
                APIs
                • GetFileInformationByHandle.KERNEL32(?,?,?,00000000,?,?,0040479D,?,0073B170,?,?,?,00000001,00000FFF,?), ref: 0040A108
                • GetLastError.KERNEL32(?,?,0040479D,?,0073B170,?,?,?,00000001,00000FFF,?), ref: 0040A118
                • GetLastError.KERNEL32(?,?,0040479D,?,0073B170,?,?,?,00000001,00000FFF,?), ref: 0040A122
                  • Part of subcall function 0040B2D0: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000FFF,00000003,?,?,00409361,00000003,?,00000003,?,0040963D), ref: 0040B31F
                  • Part of subcall function 00409F20: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00409F73
                  • Part of subcall function 00409F20: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00409FCC
                  • Part of subcall function 00409F20: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040A021
                • GetFileType.KERNEL32(?,?,?,?,?,?,?,0040479D,?,0073B170,?,?,?,00000001,00000FFF,?), ref: 0040A153
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: FileUnothrow_t@std@@@__ehfuncinfo$??2@$ErrorLast$HandleInformationTypeWrite
                • String ID:
                • API String ID: 2068948226-0
                • Opcode ID: fd324acca58732b605e6225f0af0dfff3ac82db7da90865dc66c3246031b9d48
                • Instruction ID: 55e53a244403b5028978291197fd620d83c031189daad877d11ab0d53d2a8617
                • Opcode Fuzzy Hash: fd324acca58732b605e6225f0af0dfff3ac82db7da90865dc66c3246031b9d48
                • Instruction Fuzzy Hash: D0318175600605ABD724DF69D841E6BB7E8EF48310F00862FE859E7780D734E821CB96
                Function 0091CA62 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0091CA98
                • __isleadbyte_l.LIBCMT ref: 0091CAC6
                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 0091CAF4
                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 0091CB2A
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                • String ID:
                • API String ID: 3058430110-0
                • Opcode ID: c888ea1c65543f3ee06b62ba76b96234de1728a40816036cb606a809cd0be1f3
                • Instruction ID: 6f4a3f3471a21d5b844d04a85211b56821679f9c1313f9fedd90beaba2034614
                • Opcode Fuzzy Hash: c888ea1c65543f3ee06b62ba76b96234de1728a40816036cb606a809cd0be1f3
                • Instruction Fuzzy Hash: DC31CF7078824EAFDB22CE75C846BEA7BA9FF41310F154529E825D71A0E731D8E1DB90
                Function 00409250 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: wcscpy
                • String ID: \\?\$\\?\UNC\
                • API String ID: 1284135714-3019864461
                • Opcode ID: 7bf9b479ae0f506667554455648a6364a1984731e0c02fe96add7b1c2cf7a454
                • Instruction ID: 2dadba5cac1b4e5ad7f7dc0767d6ba69e4db7974cd5dfc810b5d90e8ca36303b
                • Opcode Fuzzy Hash: 7bf9b479ae0f506667554455648a6364a1984731e0c02fe96add7b1c2cf7a454
                • Instruction Fuzzy Hash: 7521B43550120967DB208E28DC857EB3768EF49364F48497FEC68A67C3D239CD868B69
                Function 00418D27 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memmove$_free_malloc
                • String ID:
                • API String ID: 2856543016-0
                • Opcode ID: 4556bd1370f0ce584ba02db054b3bebeccf266fc07f55572d79384ce40e2d766
                • Instruction ID: 0b191a4e42d04a9b63a834ecd8ab821a71142cb573eba59c3000a2c7e3583d98
                • Opcode Fuzzy Hash: 4556bd1370f0ce584ba02db054b3bebeccf266fc07f55572d79384ce40e2d766
                • Instruction Fuzzy Hash: 7621A4B6D00219ABCF10DF99DC8499BBBB8FF64314B15445EFD09A3341DA35AA10CB94
                Function 00905FFE Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memcmp$_free
                • String ID:
                • API String ID: 446014804-0
                • Opcode ID: 0c7be468b5acabc05fe78fea03e52e97f946edab15982423f05219d83808557b
                • Instruction ID: 5f07b0a11b765ca54c5b271536efa050516fe5bd673d1b6d2382fe23b6241a20
                • Opcode Fuzzy Hash: 0c7be468b5acabc05fe78fea03e52e97f946edab15982423f05219d83808557b
                • Instruction Fuzzy Hash: 312192B2644706AFDB219F16DC40B52B7B9EF58360F100929E9059B6D2D731F9B0DBE0
                Function 0041B48F Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memcmp$_free
                • String ID:
                • API String ID: 446014804-0
                • Opcode ID: 58e8f76fefb9340c77c86824ac4f1345bdac18f4a2b79478e96dd0f641f6a5be
                • Instruction ID: 0ca0d89bb3b26bdc747cd1860f5825251178e41caded3e851775a25c1c8440de
                • Opcode Fuzzy Hash: 58e8f76fefb9340c77c86824ac4f1345bdac18f4a2b79478e96dd0f641f6a5be
                • Instruction Fuzzy Hash: 9C219D71600702FBD7209F16F940BA6B7B5EF18324B50052AE80597762E378F8E4CBE8
                Function 00909382 Relevance: 6.1, APIs: 4, Instructions: 75encryptionCOMMON
                Download Yara Rule
                APIs
                • WinHttpQueryHeaders.WINHTTP(?,20000013,00000000,?,?,00000000), ref: 009093A4
                • WinHttpQueryOption.WINHTTP(?,0000004E,?,?), ref: 009093F2
                • CertGetCertificateContextProperty.CRYPT32(?,00000003,?,?), ref: 0090940F
                • _memcmp.LIBCMT ref: 00909421
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: HttpQuery$CertCertificateContextHeadersOptionProperty_memcmp
                • String ID:
                • API String ID: 2937751893-0
                • Opcode ID: 913c3f72cf1b3f09b49e407d782b5f5c93fafb0507f2c233bce1a754e98d2069
                • Instruction ID: 85522f7a317c77d7f0110140cfd40088af012ed5c593cfb090cedc18c57784a7
                • Opcode Fuzzy Hash: 913c3f72cf1b3f09b49e407d782b5f5c93fafb0507f2c233bce1a754e98d2069
                • Instruction Fuzzy Hash: 0F2138B1A0020CFEEB208E96DC44EEEBBBCEB44310F108166E904E61A1D7709A45DB60
                Function 0090336D Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _malloc$_free_memmove_memset
                • String ID:
                • API String ID: 3821639056-0
                • Opcode ID: 9038b6e7fa337deac948cb260529347b44c0ab6155ae132546f227e614c555c9
                • Instruction ID: 73a73c0b6a116f64c3f93093a4d628fd3593c9660fd8cc4c7f93b99fdedb4117
                • Opcode Fuzzy Hash: 9038b6e7fa337deac948cb260529347b44c0ab6155ae132546f227e614c555c9
                • Instruction Fuzzy Hash: 7911E172600606DFD7309F15ECC1B6AB3ECEF80754F24843DF985866C1EA71A9908760
                Function 004187FE Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _malloc$_free_memmove_memset
                • String ID:
                • API String ID: 3821639056-0
                • Opcode ID: 90a789b2d4be4341b3456d79e6b8e585f42d87e717cd5e224c6a37d9ea8fb917
                • Instruction ID: 84ea27494d347f67a828e5380e8ea04c1fb122ce079b7188ef282b8ce19499c8
                • Opcode Fuzzy Hash: 90a789b2d4be4341b3456d79e6b8e585f42d87e717cd5e224c6a37d9ea8fb917
                • Instruction Fuzzy Hash: 50110872600706DBD720AF06EC81BA7B3E4EF41754F64443FF5C482640EA78E890CB68
                Function 0041F72C Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free_malloc_memset
                • String ID:
                • API String ID: 2338540524-0
                • Opcode ID: 57472920f5860446db917b7f0a4a1864544099604777fec64e7218911f27924f
                • Instruction ID: aa3802afb69b9ac1c39877d56550e0daa48622af5db1c2309fc139367d9aaa41
                • Opcode Fuzzy Hash: 57472920f5860446db917b7f0a4a1864544099604777fec64e7218911f27924f
                • Instruction Fuzzy Hash: 8901E135601711ABE320AF2A9801F9B7BE49F41764F14043BFA19DA280E634D4868799
                Function 0090907E Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 00909085
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _malloc.LIBCMT ref: 0090908E
                • _memset.LIBCMT ref: 009090A9
                • _memset.LIBCMT ref: 009090B3
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _malloc_memset$AllocateHeap
                • String ID:
                • API String ID: 3465003713-0
                • Opcode ID: 8fde067d3ee2eb677e62cf13a45249213dc14c50f8ca587bf7a9e2b4ee86dd5e
                • Instruction ID: f895eae7c8b30a60ac49f0e0021304d301d053c5953e2e3f96506d8184940525
                • Opcode Fuzzy Hash: 8fde067d3ee2eb677e62cf13a45249213dc14c50f8ca587bf7a9e2b4ee86dd5e
                • Instruction Fuzzy Hash: 911149B0601B009FD370AF25C445B47BBF4BF44714F10492DE68A9BBC1DBB6A4458B88
                Function 0041E50F Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 0041E516
                  • Part of subcall function 00424C51: __FF_MSGBANNER.LIBCMT ref: 00424C68
                  • Part of subcall function 00424C51: __NMSG_WRITE.LIBCMT ref: 00424C6F
                • _malloc.LIBCMT ref: 0041E51F
                • _memset.LIBCMT ref: 0041E53A
                • _memset.LIBCMT ref: 0041E544
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _malloc_memset
                • String ID:
                • API String ID: 4137368368-0
                • Opcode ID: 26fb1d49f763a7c06791f01a879982d822eecb872272110b27f2d943730b21e7
                • Instruction ID: 43077fa131c81ebb875a15d8347178b2af39551c458384b0dc9f586195a3e260
                • Opcode Fuzzy Hash: 26fb1d49f763a7c06791f01a879982d822eecb872272110b27f2d943730b21e7
                • Instruction Fuzzy Hash: AF118EB0601B409FE360DF26D541B46BBF0FF04754F90492EE68A9BB85DBBAE1418B48
                Function 0090678E Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000000,00010191,00010191,?,00906328,00000000,?,?), ref: 009067AF
                • GetLastError.KERNEL32(?,00906328,00000000,?,?), ref: 009067BC
                • WriteFile.KERNEL32(00000000,00000000,00906328,?,00000000,?,?,00906328,00000000,?,?), ref: 009067DB
                • CloseHandle.KERNEL32(00000000,?,?,00906328,00000000,?,?), ref: 009067F4
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: File$CloseCreateErrorHandleLastWrite
                • String ID:
                • API String ID: 1150274393-0
                • Opcode ID: 9f4c9fb46e05082cea101489d99c42e1d2a54bbe497fb9104ab2876958cf5f0b
                • Instruction ID: e9509df736dd6c78592c40203f4054aabf2959db5dc3bc545d853379181b095a
                • Opcode Fuzzy Hash: 9f4c9fb46e05082cea101489d99c42e1d2a54bbe497fb9104ab2876958cf5f0b
                • Instruction Fuzzy Hash: CC015E71A14218BFCB209FA9DC88F9BBF7CEF45774F104155F905A3280D770AD6096A0
                Function 0090436A Relevance: 6.1, APIs: 4, Instructions: 51memorylibraryCOMMON
                Download Yara Rule
                APIs
                • _strrchr.LIBCMT ref: 00904374
                • VirtualAlloc.KERNEL32(00000000,00000180,00001000,00000040), ref: 00904390
                • LoadLibraryA.KERNEL32 ref: 009043FA
                • VirtualFree.KERNEL32(00000000), ref: 0090441C
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: Virtual$AllocFreeLibraryLoad_strrchr
                • String ID:
                • API String ID: 3090839149-0
                • Opcode ID: ba6c164c7e4e18c9ffdf6d1013c69e8d0c8ff0e9315d66265d077bc322a5cdd8
                • Instruction ID: be577df25198e9e080b0aed8e2d56767d6f27c84d0e8c609d888fd2c39833ec3
                • Opcode Fuzzy Hash: ba6c164c7e4e18c9ffdf6d1013c69e8d0c8ff0e9315d66265d077bc322a5cdd8
                • Instruction Fuzzy Hash: 3011C872259200AFD7216F50EE07B853F96EF44352F004025FB44A66F2CB765892EF45
                Function 0090A459 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0090A473
                • _calloc.LIBCMT ref: 0090A487
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0090A4A5
                • _free.LIBCMT ref: 0090A4B0
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$_calloc_free
                • String ID:
                • API String ID: 214096796-0
                • Opcode ID: aa218862a952472009176a3cfc2255b270db4afe0d9a6e85e0cbcdaab40daf47
                • Instruction ID: 6eb8365a8570964acc6390ee1bbe233e108c1b68495b893f942b358d21c180a1
                • Opcode Fuzzy Hash: aa218862a952472009176a3cfc2255b270db4afe0d9a6e85e0cbcdaab40daf47
                • Instruction Fuzzy Hash: D7F0B4BA2597263EF72029B45C89DB73A8EDB147F17108635BE14D91D1E9A18C4052F2
                Function 00916F15 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                • String ID:
                • API String ID: 3016257755-0
                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                • Instruction ID: 030be0dfbe9170b86c46726b9a8751dab7c5bf3fbfd0f02f18c710b204de8826
                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                • Instruction Fuzzy Hash: 3C01433290414EBFCF125E84DC01CED3F36BB19354B548515FA1854131D736DAB2AB82
                Function 0042C3A6 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                • String ID:
                • API String ID: 3016257755-0
                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                • Instruction ID: 672dc62d5dc1cd995b7e285ccece29e843eb1da8910e240239932360773b19ef
                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                • Instruction Fuzzy Hash: 0701833214015EBBCF126E84EC92CEE3F22BB1D354F958816FE5855130C73AC971AB85
                Function 0090A3F3 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,00000000,000000FF,00000000,00000000), ref: 0090A411
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide
                • String ID:
                • API String ID: 626452242-0
                • Opcode ID: 541e449bc92fdcec58b2723319d2d06c678b385d99ebeef9aa0dc5ab58b7567e
                • Instruction ID: 6fdc06a22894c5c25d61f0e70b034f51182f051ce4e015a8a2d0929aacf28862
                • Opcode Fuzzy Hash: 541e449bc92fdcec58b2723319d2d06c678b385d99ebeef9aa0dc5ab58b7567e
                • Instruction Fuzzy Hash: 55F02B3A3897293EF73029B46C4AFA6364C9B00BB4F208321FB18E81D2D9E0885052D6
                Function 009035CA Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 009035D0
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _memset.LIBCMT ref: 009035E1
                • htonl.WS2_32(00000008), ref: 009035EB
                • htonl.WS2_32(?), ref: 009035F7
                  • Part of subcall function 0090381F: htonl.WS2_32(?), ref: 00903825
                  • Part of subcall function 009036DF: _memset.LIBCMT ref: 009036F8
                  • Part of subcall function 009036DF: _free.LIBCMT ref: 00903700
                  • Part of subcall function 009036DF: _memset.LIBCMT ref: 00903759
                  • Part of subcall function 009036DF: _free.LIBCMT ref: 0090375F
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _memsethtonl$_free$AllocateHeap_malloc
                • String ID:
                • API String ID: 1195693547-0
                • Opcode ID: dd7f55eae4ef22d28d006ddd9369f47f2da80e03423cf66fe114b6a2cadb3e6c
                • Instruction ID: 6add3557b4994c541f98d59b0678b0efc9645fac0523d6c93e292ea6965cfb96
                • Opcode Fuzzy Hash: dd7f55eae4ef22d28d006ddd9369f47f2da80e03423cf66fe114b6a2cadb3e6c
                • Instruction Fuzzy Hash: A9F0F636600705BFD7112B76DC06B2A3B6EABC0721F00C019F608896C2DB76D261CA95
                Function 0040A2D0 Relevance: 6.0, APIs: 4, Instructions: 39synchronizationCOMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(-0000000C,?,004050F6,00000000,?,00405F64), ref: 0040A2E1
                • WaitForSingleObject.KERNEL32(?,000000FF,?,004050F6,00000000,?,00405F64), ref: 0040A2F3
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: CriticalEnterObjectSectionSingleWait
                • String ID:
                • API String ID: 2738528119-0
                • Opcode ID: 64e0efb6b7f1499b4de49b542760b7db0ffbc1b6b0151710c55ba0cf1d3ccb14
                • Instruction ID: e0b5725a8b812971fe7894d7977686bd4d10914995574b9a4bb5392b8b568aad
                • Opcode Fuzzy Hash: 64e0efb6b7f1499b4de49b542760b7db0ffbc1b6b0151710c55ba0cf1d3ccb14
                • Instruction Fuzzy Hash: EDF0547260021997DB10D7E4ED44AA7775CDB603717048277E608E73D0D635D8A0C6AD
                Function 0090722B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNEL32(89C03359,00000000,?,009074CF,?), ref: 00907242
                • CloseHandle.KERNEL32(0F078900,00000000,?,009074CF,?), ref: 0090726E
                • _free.LIBCMT ref: 00907283
                • _free.LIBCMT ref: 00907291
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandle_free
                • String ID:
                • API String ID: 3521661170-0
                • Opcode ID: 67fa8a2e638359ccbf5b2f633c180b83a60c952a7e015e46ea700342cb44fa48
                • Instruction ID: 7b587d700062d4c10ac736a923d270fa93e11b336495cf5fd436b5709e6412c9
                • Opcode Fuzzy Hash: 67fa8a2e638359ccbf5b2f633c180b83a60c952a7e015e46ea700342cb44fa48
                • Instruction Fuzzy Hash: 98018132818B049FD6355B79D809BA6B3E8BF04732F540B1DF0BA954D0C774B895CA44
                Function 00907142 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0090A109: WaitForSingleObject.KERNEL32(?,000000FF,?,00904A00,00000001,00000000,?,009049E4,00000000,00000000,00906503,00000000,00000000,0090798B), ref: 0090A117
                • CloseHandle.KERNEL32(?), ref: 00907169
                • CloseHandle.KERNEL32(?), ref: 0090716E
                • CloseHandle.KERNEL32(?), ref: 00907173
                • _free.LIBCMT ref: 00907181
                  • Part of subcall function 0090F788: HeapFree.KERNEL32(00000000,00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?), ref: 0090F79C
                  • Part of subcall function 0090F788: GetLastError.KERNEL32(00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?,?), ref: 0090F7AE
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandle$ErrorFreeHeapLastObjectSingleWait_free
                • String ID:
                • API String ID: 2311913730-0
                • Opcode ID: 507970d99fec821a3088a2fd5d4dc31ca2f470f03c6ad4def79efa448dc1ad7f
                • Instruction ID: 1b92e339a22d4eac29a609643d75c8ced5e1ab844cb508a1f0e2b74b4bc73ec7
                • Opcode Fuzzy Hash: 507970d99fec821a3088a2fd5d4dc31ca2f470f03c6ad4def79efa448dc1ad7f
                • Instruction Fuzzy Hash: 6EF04F32608505BFD7196B76EC06A96FB69FF45320B104116E018471A1DB72F8619AD1
                Function 0090859D Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • _calloc.LIBCMT ref: 009085A5
                  • Part of subcall function 00910021: __calloc_impl.LIBCMT ref: 00910034
                • GetCurrentProcess.KERNEL32(?,?,00000010,00000000,00000001,00000002), ref: 009085C4
                • DuplicateHandle.KERNEL32(00000000), ref: 009085CB
                • _free.LIBCMT ref: 009085D6
                  • Part of subcall function 0090F788: HeapFree.KERNEL32(00000000,00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?), ref: 0090F79C
                  • Part of subcall function 0090F788: GetLastError.KERNEL32(00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?,?), ref: 0090F7AE
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: CurrentDuplicateErrorFreeHandleHeapLastProcess__calloc_impl_calloc_free
                • String ID:
                • API String ID: 2366337730-0
                • Opcode ID: 21040fd3d3ae8b77b6a6c9647741f365add4284d2c6aaae29443223f22c5cc69
                • Instruction ID: c86b02091bbdf009b49496344cc3f63d5ce748c9ea013001a74c95726b137498
                • Opcode Fuzzy Hash: 21040fd3d3ae8b77b6a6c9647741f365add4284d2c6aaae29443223f22c5cc69
                • Instruction Fuzzy Hash: 34F03672394308AFD7249F50EC46BD637A8FB15751F000059F6048B1D1DBB29991DBA5
                Function 009081B4 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 009081CD
                  • Part of subcall function 0090F788: HeapFree.KERNEL32(00000000,00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?), ref: 0090F79C
                  • Part of subcall function 0090F788: GetLastError.KERNEL32(00000000,?,009158F9,00000000,?,?,?,00000000,?,0091903E,00000018,00925620,00000008,00918F8B,?,?), ref: 0090F7AE
                • _free.LIBCMT ref: 009081E5
                • _free.LIBCMT ref: 009081FA
                • _free.LIBCMT ref: 00908205
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: a902d991ac1750f255eaf8ed8b2caca8c5474265e81da4c98f50a18675e22761
                • Instruction ID: 7550fa7c98a2ac7e6a7934e22f2fdce7370c0157bccda66d5c149a8d1429722c
                • Opcode Fuzzy Hash: a902d991ac1750f255eaf8ed8b2caca8c5474265e81da4c98f50a18675e22761
                • Instruction Fuzzy Hash: 11F04932224B00DFDB726A28D805767B3E8BF05366F94052DE485468E1CB74BC82CE8A
                Function 0041D645 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 09f99532f5715fa75ee61da0ce2c70ed2bbe0798f7a92593d1b7cdc70fe9c228
                • Instruction ID: ca759a0c644fe40182d38439d3c31997ae292c4c3fd4ed8f4b4c33fa70c32fbd
                • Opcode Fuzzy Hash: 09f99532f5715fa75ee61da0ce2c70ed2bbe0798f7a92593d1b7cdc70fe9c228
                • Instruction Fuzzy Hash: 57F037B29117109FDB395A2AE905796B3E4FF0432AF56042FE4494BAA0877DB8C0CA4C
                Function 0090A133 Relevance: 6.0, APIs: 4, Instructions: 33COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 0090A136
                  • Part of subcall function 0090F7C0: __FF_MSGBANNER.LIBCMT ref: 0090F7D7
                  • Part of subcall function 0090F7C0: __NMSG_WRITE.LIBCMT ref: 0090F7DE
                  • Part of subcall function 0090F7C0: RtlAllocateHeap.NTDLL(006C0000,00000000,00000001,00000000,00000000,00000000,?,00918CB7,?,?,?,00000000,?,0091903E,00000018,00925620), ref: 0090F803
                • _memset.LIBCMT ref: 0090A14D
                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0090A205,?,?,000000FF), ref: 0090A159
                • _free.LIBCMT ref: 0090A167
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: AllocateCreateEventHeap_free_malloc_memset
                • String ID:
                • API String ID: 4187402829-0
                • Opcode ID: d8f2380f90ed8a030e867f720c50a6312d2e2ff64586bda1480a04f51f43b60c
                • Instruction ID: 7fa3e68c428f60503c41c9dd832822f0256b1eb2d07eae7ef35ed85e56e5cd81
                • Opcode Fuzzy Hash: d8f2380f90ed8a030e867f720c50a6312d2e2ff64586bda1480a04f51f43b60c
                • Instruction Fuzzy Hash: B8E04F7264D2612DE271326A7C09E9B1A6CCFD3F61F010029F544851C1EA14498381E6
                Function 004066E0 Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON
                Download Yara Rule
                APIs
                • closesocket.WSOCK32(?,?,?,0040682B,?,00000000,?,004066E0,?,?,00403C4A,?,?,?,?,?), ref: 004066F0
                • WSAGetLastError.WSOCK32(?,0040682B,?,00000000,?,004066E0,?,?,00403C4A,?,?,?,?,?), ref: 00406701
                • WSAGetLastError.WSOCK32(?,0040682B,?,00000000,?,004066E0,?,?,00403C4A,?,?,?,?,?), ref: 00406707
                • CloseHandle.KERNEL32(?,?,?,0040682B,?,00000000,?,004066E0,?,?,00403C4A,?,?,?,?,?), ref: 00406723
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$CloseHandleclosesocket
                • String ID:
                • API String ID: 2398627750-0
                • Opcode ID: 19a55a820fc034086b5a6f6e6ffedc93f1852c4d10f282208eb332b289abd10e
                • Instruction ID: f8b1af511f93eed33ffa8f8d82707322815a419c23ca45b431166e89200fbbed
                • Opcode Fuzzy Hash: 19a55a820fc034086b5a6f6e6ffedc93f1852c4d10f282208eb332b289abd10e
                • Instruction Fuzzy Hash: F9F05E315006248BC7209BBCED8455777A8AB053747050736E96AEB6D0D734E8108F94
                Function 0040A280 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                Download Yara Rule
                APIs
                • DeleteCriticalSection.KERNEL32(?), ref: 0040A298
                • CloseHandle.KERNEL32(?), ref: 0040A2A6
                • GetLastError.KERNEL32 ref: 0040A2B7
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: CloseCriticalDeleteErrorHandleLastSection
                • String ID:
                • API String ID: 596325006-0
                • Opcode ID: 7a587802956d7493d7662b8641c776cf43c4a070ad38b516a537fc162d588e03
                • Instruction ID: 89604f4a24fc24932e946970824464d595f4fa52147e4ba23ad12d5ff2de0c13
                • Opcode Fuzzy Hash: 7a587802956d7493d7662b8641c776cf43c4a070ad38b516a537fc162d588e03
                • Instruction Fuzzy Hash: 1FE06532640319DBCB109BF5EE489677B9CAE0476530542B6E90CE73A1E635D8108B94
                Function 00403A90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: fflushfprintf
                • String ID: Completed %d requests
                • API String ID: 1831888217-1378579972
                • Opcode ID: 26578ffbb597d28db73832c27148d75affaf0d258f25d4ead9a3db3c401a5257
                • Instruction ID: 43b92127b4a9a4139af20bfdf6b6760d73ef2c1dbd0ce1ca3c4c718fbe9ff712
                • Opcode Fuzzy Hash: 26578ffbb597d28db73832c27148d75affaf0d258f25d4ead9a3db3c401a5257
                • Instruction Fuzzy Hash: 75512975601B028FD758DF29D990A56B7F9BB88305B14C93EE49AD3390EB74F940CB88
                Function 004181CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354392458.0000000000416000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3354327935.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354339973.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354353455.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354365056.000000000040D000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354380696.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3354412961.0000000000441000.00000080.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                Yara matches
                Similarity
                • API ID: _free
                • String ID: NwA
                • API String ID: 269201875-3839944687
                • Opcode ID: 5307b0c22e6bb5b0af9fb89fe1bb5f215e1af81fab917a7a676cb1c2954f1a50
                • Instruction ID: ce67993239947c21060d8328341ed1ffb57aba4b3c28f4ab71936084b28dce48
                • Opcode Fuzzy Hash: 5307b0c22e6bb5b0af9fb89fe1bb5f215e1af81fab917a7a676cb1c2954f1a50
                • Instruction Fuzzy Hash: 55F0D632200802BACA262E96DC42DEB776DBF81754B10011EF90842551EB79E5E2D6A5
                Function 0091A443 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3354592549.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true
                • Associated: 00000000.00000002.3354581075.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354610677.0000000000921000.00000002.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.0000000000927000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092C000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354623134.000000000092E000.00000004.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000000.00000002.3354658524.000000000092F000.00000002.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_900000_1.jbxd
                Yara matches
                Similarity
                • API ID: __calloc_crt
                • String ID: "n
                • API String ID: 3494438863-3400832397
                • Opcode ID: e030d46d2ff2da0bafcdcfd9b68e0557a89219eac6099172f52c5677f4be07d2
                • Instruction ID: 7f435cd950bcb995ead76d5e2ca7771e821dc59168f7f43782de91fa4af92a20
                • Opcode Fuzzy Hash: e030d46d2ff2da0bafcdcfd9b68e0557a89219eac6099172f52c5677f4be07d2
                • Instruction Fuzzy Hash: 4DF0287131A315DAF734CB56BC44BF123DCE749720F10082AE115DA5E4E7B0ACC25396